Latest 30 Comments

Quoting: CarollySomebody who is.... overly enthusiastic about anything and who appears dismissive to people's concerns is going to trip that flag for people.

A lot of your replies are lengthy, defensive, and boil down to "but Monero" and that's going to trip that flag for a lot of people, especially on a subject like crypto where excessive enthusiasm for a crypto poduct has almost invariably ended in "oops it's another scam" for more than a decade.

But that's the problem. I say a few things unrelated to Bitcoin, and other users turn the other direction and write monologues going "the problem with Bitcoin is..." when my message was talking about something else. I'm dismissive about all the Bitcoin paragraphs because they don't apply to what I was saying.

Also I never said people should tust me like you claim here, on the contrary, you should actually go do your own research and verify all of this yourself. Maybe you'll learn something new.

I'm well aware of the crypto baggage, it sucks hard, and its so bad it actually influences how I write, like I keep thinking "how do I answer this question without it unintentionally sounding like some web3 bullshit to the uninitiated". It's extra daunting when all that effort gets thrown out and people either don't read or selectively choose what they want to respond to in my messages, and this specifically continues to the next part here:

I'll also point out that what Monero is most known for among the general public is its prevalence in malware and popularity with the criminal element including Darknet retailers and CSAM traders. Saying it has a bit of a reputation problem would be significantly understating the situation.

Let this be the last time I answer these type of questions, since it is clear that when I do, they don't always get read.

I've already addressed the use in crime. You can't dismiss a technology just because criminals make use of it, I'll say the same example again: what other type of money gets used for illicit acts, a lot more than Monero does, even ? Physical cash. Guess we're gonna start to ban that ?

Criminals are among the first to adopt new technologies, whether it is to gain an edge, or to protect themselves from getting caught, this is a well established phenomenon; printing (to print counterfeit currency), the telegraph and the phone (to coordinate scams and crimes), railway and cars for quick escape, the internet and so on. It's nothing new.

If you want to be consistent, you should be like those EU officials who want to ban encryption for citizens. Ban the Tor network, VPNs, virtual machines and encrypted messengers because criminals can and do use them.

If anything, with the idea it is used in criminal activities, and those criminals are getting away because of it, the fact of the matter here is this all means the technology works. Not how I would prefer for it to be demonstrated, but facts are facts.

Prevalence in malware ? Come on, man. Do you know how that sounds ? This is like when a game publisher denies Linux players access to their online game because of "the prevalence of hacking and cheating on Linux". Linux is most known among the general public for hacking, does that mean this is all what it's about ?

View this comment - View article - View full comments - Report this comment

Late comment but I have to say that this is the first time that I've encountered a game that absolutely requires a controller. If you launch without one, the game prompts you about its absence then exits.

😲

View this comment - View article - View full comments - Report this comment

It seems I'm unaffected, but WOW what a disaster. With all the newbies flocking to CachyOS and other Arch based distros, there are definitely going to be some bad outcomes here.

I hope the Arch community comes up with something that isn't just victim blaming newbies for not having their security dialed. The AUR is universally easily accessible and recommended with caveats that disavow responsibility. So Arch fans gave their fair warnings, sure, but then threw newbies to the wolves.

This will go down as AURgate

View this comment - View article - View full comments - Report this comment

I got this game a while back and it keeps paying off like no mans sky

View this comment - View article - View full comments - Report this comment

Quoting: LoudTechie

Quoting: Pyrate

Quoting: LoudTechie

Quoting: Pyrate

Quoting: tuubiI view people who get very passionate about crypto the same way I view enthusiastic small-time stock traders. They keep talking my ear off about how they make (or save) money with it and everyone should do it, and I indulge them to a point because I'm nice and patient like that (in real life more than online), but I just don't find any of it interesting. Money is a necessity and I've never been wealthy enough to ignore it. It's just not something I could ever get passionate about.

Im sorry, but point to me where I did this here, where did I talk about making or saving money, market price, hype and all that wall street crap ?

Monero would protect my financial activity from heavily regulated banks and my government, which I'm a lot less concerned about. Some communities have excellent reasons to hide this activity, but most of us do not.

Only if you choose to. You can disclose your transactions for taxes or any other reason. I could explain how it works but I'm getting fed up with still being talked to like a crypto bro, I'll just share that optional transparency is a built-in function into a Monero wallet for auditing and taxes etc.

I'm not paranoid and this isn't about paranoia. Speaking for myself for example, I recognise what is a real and what is a more theoretical danger when I'm constructing my threat model, but most of the time, I use privacy tools out of principle more than out of immediate need. This is something I feel is lost for many people recently, at least that's what I'm getting online. Recently I keep recalling that one Luke Smith youtube video about in projects like Linux, how users are slowly abandoning the freedom hard lines started with Free Software and GNU etc. I think we need more hardasses, the Stallman type, so we don't drift away in convenience and complacency.

On the hyped up cryptobro part.
You're not being treated like a cryptobro. You're experiencing something even more frustrating:
"I've nothing to hide."
A cryptobro would get fundamental disbelief in the promises they make, not in their value.
"crypto is decentralized": except for all the exit scams.
"crypto is the future": except for all the exit scams.
"crypto can do anything": you don't know what you're talking about.
"crypto ...": I'm done hearing about these scams.

As to why this is frustrating,
a. because it devalues other people's needs.
b. because it undercounts one's reliance on fundamental rights.
To say it with a quote I got from schneiers website, but attributed to someone else.
Saying you don't need privacy, because you've nothing to hide is like saying you don't need free speech, because you have nothing to say.

About the complacency part.
I disagree kinda.
Users are going to the centralized semi-free options, because they come from fully proprietary systems and are used to thinking that way and have become to love the strengths of the existing systems.
In general it's going in the right direction.
Just not in the jumps hardliners and early adopters believe in.

Also even a little extra freedom helps a lot.
If Redhat sufficiently fucks up systemD we can fork it with a patch. Would this be a lot of work, yes. Would this be less work than the entire Wine project(which tackles the Windows equivalent) easily, because we have the source code.
Do proprietary kernel modules render your system less free and give root to dangerous parties, absolutely. Still I can patch the interface to limit their power and repair their mistakes For Windows and Mac that requires a jailbreak.
Do locked bootloaders illegally, but unrepentant limit consumer choice. Undeniably, but they still can't sue you under the DMCA for a jailbreak.
Or an example from this forum. If our proprietary electron program botches their testing we can still patch electron without any license problems.

Hardasses are important they remind us how we can improve the world, but they're too blinded by their rage to see the the individual value of the incremental improvements.

I think it's an issue of balance. Taking the SystemD example, when is it that the community draws the line ? Personally, the comically-fast and instant compliance with age verification fiasco a month or two ago was it for ne. I'm sort of coerced to continue to use SystemD currently, even though that was the final straw for me and I'd rather use something else now.

So it's like a continuous battle to balance out the hardass-ness with the complacency. I tend to lean more on the former (even though I don't at all feel like I'm doing a lot of work in doing so, it just seems to me everyone else is so lazy and quick to sideline what they claim to believe in). But as long as the right people don't go all the way and they don't lose the plot, you're right in that fighting back is possible.

Also, about regulations being a necessity etc etc, I get it. But I really won't play along if any countermeasure gets implemented ends up chipping away at one of the rights that were once given, that's in brief my angle on all that 'the system is important, actually'.

On the age gating fiasco.
That was a reaction to a passed law.
Yes, it's problematic, but the reason they can get away with it is that the government is backing them.
Anyone who wants to make that fork has to fight the law and [we know the law often wins.](https://genius.com/The-clash-i-fought-the-law-lyrics)
Most distros also include an Api for handling USA crypto export controls.

It was more about how fast they jumped on that. I remember within the same newsfeed that day, I read how System76 CEO advising open source devs to hold on for a bit because he was exploring exclusion for FOSS OS's, and shortly after SystemD implements the thing.

And sure, they would've eventually had to by law, it still counts as a redflag for me.

View this comment - View article - View full comments - Report this comment

This is for when you've played too much of [Placid Plastic Duck Simulator](https://store.steampowered.com/app/1999360/Placid_Plastic_Duck_Simulator/) and you don't know what to do with all these ducks.😅

View this comment - View article - View full comments - Report this comment

Quoting: PyrateYou continue to talk about Bitcoin and bitcoin-like crytpo in particular, like everything I've mentioned about Monero is irrelevant. With all due respect, after this message, if I feel like what I type isn't being engaged with, I think I'm better off spending my time doing something else rather than write a few paragraphs that'll get avoided.

Is this really how you guys find my messages, like PR ? I only answered what I got asked. How can I prove to you that I'm actually debating in good faith and out of passion ? I don't understand how my messages get read like intense ads, like, did I ever do the thing and talked about price, or said "you should buy it now, it'll go to the moon !!" or anything like that ? Genuinely curious here.

Somebody who is.... overly enthusiastic about anything and who appears dismissive to people's concerns is going to trip that flag for people.

A lot of your replies are lengthy, defensive, and boil down to "but Monero" and that's going to trip that flag for a lot of people, especially on a subject like crypto where excessive enthusiasm for a crypto product has almost invariably ended in "oops it's another scam" for more than a decade.

If you really want to make progress with this, start from the position that people have really legitimate reasons for being doubtful, rather than "I feel insulted when people who don't know me don't inherently trust me when I start hyping a product from a market niche with a known history of failed hype cycles and fraudulent behaviour."

I'll also point out that what Monero is most known for among the general public is its prevalence in malware and popularity with the criminal element including Darknet retailers and CSAM traders. Saying it has a bit of a reputation problem would be significantly understating the situation.

View this comment - View article - View full comments - Report this comment

Quoting: Pyrate

Quoting: LoudTechie

Quoting: Pyrate

Quoting: tuubiI view people who get very passionate about crypto the same way I view enthusiastic small-time stock traders. They keep talking my ear off about how they make (or save) money with it and everyone should do it, and I indulge them to a point because I'm nice and patient like that (in real life more than online), but I just don't find any of it interesting. Money is a necessity and I've never been wealthy enough to ignore it. It's just not something I could ever get passionate about.

Im sorry, but point to me where I did this here, where did I talk about making or saving money, market price, hype and all that wall street crap ?

Monero would protect my financial activity from heavily regulated banks and my government, which I'm a lot less concerned about. Some communities have excellent reasons to hide this activity, but most of us do not.

Only if you choose to. You can disclose your transactions for taxes or any other reason. I could explain how it works but I'm getting fed up with still being talked to like a crypto bro, I'll just share that optional transparency is a built-in function into a Monero wallet for auditing and taxes etc.

I'm not paranoid and this isn't about paranoia. Speaking for myself for example, I recognise what is a real and what is a more theoretical danger when I'm constructing my threat model, but most of the time, I use privacy tools out of principle more than out of immediate need. This is something I feel is lost for many people recently, at least that's what I'm getting online. Recently I keep recalling that one Luke Smith youtube video about in projects like Linux, how users are slowly abandoning the freedom hard lines started with Free Software and GNU etc. I think we need more hardasses, the Stallman type, so we don't drift away in convenience and complacency.

On the hyped up cryptobro part.
You're not being treated like a cryptobro. You're experiencing something even more frustrating:
"I've nothing to hide."
A cryptobro would get fundamental disbelief in the promises they make, not in their value.
"crypto is decentralized": except for all the exit scams.
"crypto is the future": except for all the exit scams.
"crypto can do anything": you don't know what you're talking about.
"crypto ...": I'm done hearing about these scams.

As to why this is frustrating,
a. because it devalues other people's needs.
b. because it undercounts one's reliance on fundamental rights.
To say it with a quote I got from schneiers website, but attributed to someone else.
Saying you don't need privacy, because you've nothing to hide is like saying you don't need free speech, because you have nothing to say.

About the complacency part.
I disagree kinda.
Users are going to the centralized semi-free options, because they come from fully proprietary systems and are used to thinking that way and have become to love the strengths of the existing systems.
In general it's going in the right direction.
Just not in the jumps hardliners and early adopters believe in.

Also even a little extra freedom helps a lot.
If Redhat sufficiently fucks up systemD we can fork it with a patch. Would this be a lot of work, yes. Would this be less work than the entire Wine project(which tackles the Windows equivalent) easily, because we have the source code.
Do proprietary kernel modules render your system less free and give root to dangerous parties, absolutely. Still I can patch the interface to limit their power and repair their mistakes For Windows and Mac that requires a jailbreak.
Do locked bootloaders illegally, but unrepentant limit consumer choice. Undeniably, but they still can't sue you under the DMCA for a jailbreak.
Or an example from this forum. If our proprietary electron program botches their testing we can still patch electron without any license problems.

Hardasses are important they remind us how we can improve the world, but they're too blinded by their rage to see the the individual value of the incremental improvements.

I think it's an issue of balance. Taking the SystemD example, when is it that the community draws the line ? Personally, the comically-fast and instant compliance with age verification fiasco a month or two ago was it for ne. I'm sort of coerced to continue to use SystemD currently, even though that was the final straw for me and I'd rather use something else now.

So it's like a continuous battle to balance out the hardass-ness with the complacency. I tend to lean more on the former (even though I don't at all feel like I'm doing a lot of work in doing so, it just seems to me everyone else is so lazy and quick to sideline what they claim to believe in). But as long as the right people don't go all the way and they don't lose the plot, you're right in that fighting back is possible.

Also, about regulations being a necessity etc etc, I get it. But I really won't play along if any countermeasure gets implemented ends up chipping away at one of the rights that were once given, that's in brief my angle on all that 'the system is important, actually'.

On the age gating fiasco.
That was a reaction to a passed law.
Yes, it's problematic, but the reason they can get away with it is that the government is backing them.
Anyone who wants to make that fork has to fight the law and [we know the law often wins.](https://genius.com/The-clash-i-fought-the-law-lyrics)
Most distros also include an Api for handling USA crypto export controls.

View this comment - View article - View full comments - Report this comment

The AUR isn't inherently any more dangerous than the official repos, the maintainers there could easily miss a malicious change like this by not checking out the npm packages that are downloaded. This only affects orphaned packages, that's where the problem lies. Quite frankly I think they should suspend or even delete PKGBUILDs that become orphaned instead, only allowing them to be claimed after going through a verification process. I'm sure helpers would be able to check for a flag that says the entry has been suspended and inform the user.
It would be different if the AUR operated more like Gentoo where you have to build the packages yourself, but PKGBUILDs abstract almost all of the process away to the point where the AUR isn't just a place to share scripts, it's a repository of automated installs.

View this comment - View article - View full comments - Report this comment

Quoting: GrishnakhNot panicking, for now, as I don't use npm or have any apps that do. But I agree with the sentiment: Oh dear.

You don't have to use npm to be affected. If you use any of the affected aur packages and you updated them in the last week or so then you might want to check your repos.

View this comment - View article - View full comments - Report this comment

Quoting: doragasu

Quoting: Liam Squires-Hand

Quoting: Breizh

the Arch Linux AUR (Arch User Repository) needs some better security and package checks […] for some improvements to the packaging processes to prevent this from happening in future.

Well, there is no check at all currently. The AUR is just a way for user to share what they use personnally, it shouldn’t be trusted.

People that use AUR recipes without checking them before can only be angry against themself, it’s like getting a random script on GitHub and running it blindly…

Of course, cleaning the AUR as it’s going now is a good thing, but Arch could simply close the AUR and ask people to share their PKGBUILDs elsewhere instead.

That's my point though - it *needs* some checks. Otherwise, the people responsible for keeping the AUR online become responsible for helping to spread malware. Just telling people to check whatever code or recipe isn't going to cut it.

While you are rising a valid point, I don't see how that could happen. AUR packages can pull sources from anywhere and run any kind of script, and thus automated checks do not seem possible. And if they manually check them, well, they would just not be AUR packages, they would be normal packages.

IMO they should implement a system to report packages, but other than that I think there's little they can do other than closing AUR entirely (and IMO that would be a great loss, I am currently using 54 AUR packages on my system, and I maintain 14 of them: https://aur.archlinux.org/packages?SeB=m&K=doragasu).

Also note that IMO this problem is not that big for power users using Arch, but for users of Arch derivatives that incorporate tools that automatically install and update software from AUR without the user understanding the risks. On standard Arch, for you to install an AUR packages you have to follow the wiki to manually build at the very least an AUR helper, and understand the risks.

Although certainly not perfect an automated hash check for known [malware signatures](https://github.com/Yara-Rules/rules) would greatly help.
Malware writers are a lazy bunch they tend to automate their injection and reuse code.
This at least limits their scale.

View this comment - View article - View full comments - Report this comment

don't panic. all of your aur packages are fine, if you use a dozen of popular ones, that were not orphaned. still, check the mailing list just in case.

i wish official arch linux repos included packages that other distros do, even some arch based repos include apps like heroic launcher and vesktop. debian has vmtouch.

meanwhile arch repos have some half broken image viewers and similar abandonware, that should be removed

View this comment - View article - View full comments - Report this comment

Quoting: doragasu

Quoting: Liam Squires-Hand

Quoting: Breizh

the Arch Linux AUR (Arch User Repository) needs some better security and package checks […] for some improvements to the packaging processes to prevent this from happening in future.

Well, there is no check at all currently. The AUR is just a way for user to share what they use personnally, it shouldn’t be trusted.

People that use AUR recipes without checking them before can only be angry against themself, it’s like getting a random script on GitHub and running it blindly…

Of course, cleaning the AUR as it’s going now is a good thing, but Arch could simply close the AUR and ask people to share their PKGBUILDs elsewhere instead.

That's my point though - it *needs* some checks. Otherwise, the people responsible for keeping the AUR online become responsible for helping to spread malware. Just telling people to check whatever code or recipe isn't going to cut it.

While you are rising a valid point, I don't see how that could happen. AUR packages can pull sources from anywhere and run any kind of script, and thus automated checks do not seem possible. And if they manually check them, well, they would just not be AUR packages, they would be normal packages.

IMO they should implement a system to report packages, but other than that I think there's little they can do other than closing AUR entirely (and IMO that would be a great loss, I am currently using 54 AUR packages on my system, and I maintain 14 of them: https://aur.archlinux.org/packages?SeB=m&K=doragasu).

Also note that IMO this problem is not that big for power users using Arch, but for users of Arch derivatives that incorporate tools that automatically install and update software from AUR without the user understanding the risks. On standard Arch, for you to install an AUR packages you have to follow the wiki to manually build at the very least an AUR helper, and understand the risks.

If they cannot do any checks - that's just a glaring flaw in the entire design of the AUR and so yes - it should be shut. If it's just going to repeatedly be a huge security issue like this, then why should it exist? It's dangerous.

View this comment - View article - View full comments - Report this comment

Quoting: TriciaPearsonI used to use it on Windows in the past. I've seen the news on the Linux_Gaming reddit a few days ago, but I've also seen negative comments regarding the lack of open source code visibility (code is dated 2023 on their Github) but most specifically other malwares / bad surprises / bloatware contained in some Windows versions, so I'm really concerned now that I'm switching to Linux, about my security and a bit unsettled by the Reddit posts.

I want to be happy given that I've waited this news for a while, but I may just wait another more transparent program that does that, I'm not sure where to place myself, I want to have good security practices and not download anything that could have like naughty surprises inside. Anyway I'm not planning on paying a Patreon so I need to wait regardless so that's a non question atm for me.

In a simple case you might get away with.

 
gdb
set hp 47
running program

If I'm not mistaken
@syylk might have some deeper and better insight.

View this comment - View article - View full comments - Report this comment

Quoting: Liam Squires-Hand

Quoting: Breizh

the Arch Linux AUR (Arch User Repository) needs some better security and package checks […] for some improvements to the packaging processes to prevent this from happening in future.

Well, there is no check at all currently. The AUR is just a way for user to share what they use personnally, it shouldn’t be trusted.

People that use AUR recipes without checking them before can only be angry against themself, it’s like getting a random script on GitHub and running it blindly…

Of course, cleaning the AUR as it’s going now is a good thing, but Arch could simply close the AUR and ask people to share their PKGBUILDs elsewhere instead.

That's my point though - it *needs* some checks. Otherwise, the people responsible for keeping the AUR online become responsible for helping to spread malware. Just telling people to check whatever code or recipe isn't going to cut it.

While you are rising a valid point, I don't see how that could happen. AUR packages can pull sources from anywhere and run any kind of script, and thus automated checks do not seem possible. And if they manually check them, well, they would just not be AUR packages, they would be normal packages.

IMO they should implement a system to report packages, but other than that I think there's little they can do other than closing AUR entirely (and IMO that would be a great loss, I am currently using 54 AUR packages on my system, and I maintain 14 of them: https://aur.archlinux.org/packages?SeB=m&K=doragasu).

Also note that IMO this problem is not that big for power users using Arch, but for users of Arch derivatives that incorporate tools that automatically install and update software from AUR without the user understanding the risks. On standard Arch, for you to install an AUR packages you have to follow the wiki to manually build at the very least an AUR helper, and understand the risks.

View this comment - View article - View full comments - Report this comment

Quoting: Pyrate

Quoting: LoudTechie

Quoting: Pyrate

Quoting: LoudTechie

Quoting: Pyrate

Quoting: LoudTechie

Quoting: Pyrate

Quoting: tuubiI view people who get very passionate about crypto the same way I view enthusiastic small-time stock traders. They keep talking my ear off about how they make (or save) money with it and everyone should do it, and I indulge them to a point because I'm nice and patient like that (in real life more than online), but I just don't find any of it interesting. Money is a necessity and I've never been wealthy enough to ignore it. It's just not something I could ever get passionate about.

Im sorry, but point to me where I did this here, where did I talk about making or saving money, market price, hype and all that wall street crap ?

Monero would protect my financial activity from heavily regulated banks and my government, which I'm a lot less concerned about. Some communities have excellent reasons to hide this activity, but most of us do not.

Only if you choose to. You can disclose your transactions for taxes or any other reason. I could explain how it works but I'm getting fed up with still being talked to like a crypto bro, I'll just share that optional transparency is a built-in function into a Monero wallet for auditing and taxes etc.

I'm not paranoid and this isn't about paranoia. Speaking for myself for example, I recognise what is a real and what is a more theoretical danger when I'm constructing my threat model, but most of the time, I use privacy tools out of principle more than out of immediate need. This is something I feel is lost for many people recently, at least that's what I'm getting online. Recently I keep recalling that one Luke Smith youtube video about in projects like Linux, how users are slowly abandoning the freedom hard lines started with Free Software and GNU etc. I think we need more hardasses, the Stallman type, so we don't drift away in convenience and complacency.

On the hyped up cryptobro part.
You're not being treated like a cryptobro. You're experiencing something even more frustrating:
"I've nothing to hide."
A cryptobro would get fundamental disbelief in the promises they make, not in their value.
"crypto is decentralized": except for all the exit scams.
"crypto is the future": except for all the exit scams.
"crypto can do anything": you don't know what you're talking about.
"crypto ...": I'm done hearing about these scams.

As to why this is frustrating,
a. because it devalues other people's needs.
b. because it undercounts one's reliance on fundamental rights.
To say it with a quote I got from schneiers website, but attributed to someone else.
Saying you don't need privacy, because you've nothing to hide is like saying you don't need free speech, because you have nothing to say.

About the complacency part.
I disagree kinda.
Users are going to the centralized semi-free options, because they come from fully proprietary systems and are used to thinking that way and have become to love the strengths of the existing systems.
In general it's going in the right direction.
Just not in the jumps hardliners and early adopters believe in.

Also even a little extra freedom helps a lot.
If Redhat sufficiently fucks up systemD we can fork it with a patch. Would this be a lot of work, yes. Would this be less work than the entire Wine project(which tackles the Windows equivalent) easily, because we have the source code.
Do proprietary kernel modules render your system less free and give root to dangerous parties, absolutely. Still I can patch the interface to limit their power and repair their mistakes For Windows and Mac that requires a jailbreak.
Do locked bootloaders illegally, but unrepentant limit consumer choice. Undeniably, but they still can't sue you under the DMCA for a jailbreak.
Or an example from this forum. If our proprietary electron program botches their testing we can still patch electron without any license problems.

Hardasses are important they remind us how we can improve the world, but they're too blinded by their rage to see the the individual value of the incremental improvements.

I think it's an issue of balance. Taking the SystemD example, when is it that the community draws the line ? Personally, the comically-fast and instant compliance with age verification fiasco a month or two ago was it for ne. I'm sort of coerced to continue to use SystemD currently, even though that was the final straw for me and I'd rather use something else now.

So it's like a continuous battle to balance out the hardass-ness with the complacency. I tend to lean more on the former (even though I don't at all feel like I'm doing a lot of work in doing so, it just seems to me everyone else is so lazy and quick to sideline what they claim to believe in). But as long as the right people don't go all the way and they don't lose the plot, you're right in that fighting back is possible.

Also, about regulations being a necessity etc etc, I get it. But I really won't play along if any countermeasure gets implemented ends up chipping away at one of the rights that were once given, that's in brief my angle on all that 'the system is important, actually'.

The community doesn't draw lines or circles.
Everybody makes their own choices, which is why we need these hardasses and early adopters. We need these people to test the waters and show how the world could look like.
Other less hardass people use that information to judge their own stance.

On the "it costs me little effort" thing. As a technical person you're probably familiar with the phrase, "but it works on my system". With the retard: "we're not shipping your system".
Remember that people are different in many ways. Things that are easy for you can be hard for others.
A good sobering measure could be measuring how often you either open the terminal or are configuring a translation layer.

On the rights thing.
What are those rights according to you?
Anonymity, clear.
Decentralization, clear.
The ability to easily spend and hold large amount of assets? Unclear.
Speedy transactions. Unclear.
etc.

One big thing I personally have an issue with is being able to spend X amount of money however I like. Sometimes sending funds to a family member or even my own self through another bank account in my name and the transaction gets picked up by the bank's shitty and probably AI based AML system and now my funds, depending on the bank, could be frozen for up to 24 hours. So the freedom to transact however the hell I want and to whomever I want (without Visa dictating if they're cool or not with the product you're buying). The banking system in this regard is atrocious. So that's in UK banks. Locally, I also have an issue with banks being unreliable in general in online shopping (would rather not share which country) but recently the Central Bank itself got hacked and terabytes worth of database were put up for sale, so I guess that's another thing to add.

What about speedy transactions.
X=X^2+C spending, where X is the amount of money spend in the current Y blocks and C is a constant.

Edit:
On the hackability of confidential info.
You're going to be so dissapointed if you follow my scumbag links.
Someone found a way to publicly trace individual transactions, while they're still in an incomplete block.
Building a non-hackable system is a great ambition and cryptography is the strongest tool we possess for that, but I think you're putting a little too much faith in it.

Fast transactions are of course nice. Admittedly this is something I'd like Monero to improve in, currently it's 10 blocks or about 20 minutes until any received funds can be spendable, they show up on your wallet instantly but you can only use them after the aforementioned block confirmations. Apparently academics found it's possible in the future to develop 0conf, so funds are useable instantly, but it sounds like that's something more far ahead for now.

Someone found a way to publicly trace individual transactions, while they're still in an incomplete block.

Can you be more specific here ? Haven't heard about this.

I can be a lot more specific(sorry for the crappy [link](https://monero.observer/antidarknet-collective-claims-responsibility-suspected-monero-spam-attack/))

and in my specificity I'm realizing this is more scaremongering than real(sorry).

In the past there've been several deanomyzation attacks among, which this one.

It's an old saturation attack.
It worked by making a lot of transaction to fill up blocks, so one could break the ring signatures by exclusion and poisoned data.
Fixed by switching to chain anonymization instead of block anonymization.
It was very visible[, because it showed in the amount of transactions.](https://www.reddit.com/r/Monero/comments/1bak3to/monero_spam_recap/)
Resulting in me noticing, but not doing enough research.

View this comment - View article - View full comments - Report this comment

Quoting: Breizh

the Arch Linux AUR (Arch User Repository) needs some better security and package checks […] for some improvements to the packaging processes to prevent this from happening in future.

Well, there is no check at all currently. The AUR is just a way for user to share what they use personnally, it shouldn’t be trusted.

People that use AUR recipes without checking them before can only be angry against themself, it’s like getting a random script on GitHub and running it blindly…

Of course, cleaning the AUR as it’s going now is a good thing, but Arch could simply close the AUR and ask people to share their PKGBUILDs elsewhere instead.

That's my point though - it *needs* some checks. Otherwise, the people responsible for keeping the AUR online become responsible for helping to spread malware. Just telling people to check whatever code or recipe isn't going to cut it.

View this comment - View article - View full comments - Report this comment

The attack is ongoing. There are now malicious packages being installed through bun. The attack follows the same format as the npm ones.

View this comment - View article - View full comments - Report this comment

Quoting: ROllerozxa

Quoting: mattaraxiaIt seems the issue isn't that npm based packages got compromised, but rather npm was added to packages that don't generally need it. They are using npm *IN THE BUILD STEP* not adding it to your system.

For the malicious packages I saw, the "npm install" was put into a .install file that bundles a hook in the package that gets run after installing a package. So just by looking at the PKGBUILD itself, it's completely fine apart from that addition (and there are packages that do need legit post-install hooks!), and nothing malicious happens when you build the package with makepkg, typically not as root.

It's only when you try to install the package with pacman that it runs the post-install hook... Which happens to run as root! Quite insidious, and I would say this is really clever from the attacker, but in reality it was probably devised by some AI agent with access to the Arch Wiki's packaging documentation...

It's default behavior for NPM poisoner.
This is just one of the many NPM poisoners trying to experiment with something new.
Post and preinstall hooks have wayy to much power in their current implementation for little-curated environments.

View this comment - View article - View full comments - Report this comment

Quoting: LoudTechie

Quoting: Pyrate

Quoting: LoudTechie

Quoting: Pyrate

Quoting: LoudTechie

Quoting: Pyrate

Quoting: tuubiI view people who get very passionate about crypto the same way I view enthusiastic small-time stock traders. They keep talking my ear off about how they make (or save) money with it and everyone should do it, and I indulge them to a point because I'm nice and patient like that (in real life more than online), but I just don't find any of it interesting. Money is a necessity and I've never been wealthy enough to ignore it. It's just not something I could ever get passionate about.

Im sorry, but point to me where I did this here, where did I talk about making or saving money, market price, hype and all that wall street crap ?

Monero would protect my financial activity from heavily regulated banks and my government, which I'm a lot less concerned about. Some communities have excellent reasons to hide this activity, but most of us do not.

Only if you choose to. You can disclose your transactions for taxes or any other reason. I could explain how it works but I'm getting fed up with still being talked to like a crypto bro, I'll just share that optional transparency is a built-in function into a Monero wallet for auditing and taxes etc.

I'm not paranoid and this isn't about paranoia. Speaking for myself for example, I recognise what is a real and what is a more theoretical danger when I'm constructing my threat model, but most of the time, I use privacy tools out of principle more than out of immediate need. This is something I feel is lost for many people recently, at least that's what I'm getting online. Recently I keep recalling that one Luke Smith youtube video about in projects like Linux, how users are slowly abandoning the freedom hard lines started with Free Software and GNU etc. I think we need more hardasses, the Stallman type, so we don't drift away in convenience and complacency.

On the hyped up cryptobro part.
You're not being treated like a cryptobro. You're experiencing something even more frustrating:
"I've nothing to hide."
A cryptobro would get fundamental disbelief in the promises they make, not in their value.
"crypto is decentralized": except for all the exit scams.
"crypto is the future": except for all the exit scams.
"crypto can do anything": you don't know what you're talking about.
"crypto ...": I'm done hearing about these scams.

As to why this is frustrating,
a. because it devalues other people's needs.
b. because it undercounts one's reliance on fundamental rights.
To say it with a quote I got from schneiers website, but attributed to someone else.
Saying you don't need privacy, because you've nothing to hide is like saying you don't need free speech, because you have nothing to say.

About the complacency part.
I disagree kinda.
Users are going to the centralized semi-free options, because they come from fully proprietary systems and are used to thinking that way and have become to love the strengths of the existing systems.
In general it's going in the right direction.
Just not in the jumps hardliners and early adopters believe in.

Also even a little extra freedom helps a lot.
If Redhat sufficiently fucks up systemD we can fork it with a patch. Would this be a lot of work, yes. Would this be less work than the entire Wine project(which tackles the Windows equivalent) easily, because we have the source code.
Do proprietary kernel modules render your system less free and give root to dangerous parties, absolutely. Still I can patch the interface to limit their power and repair their mistakes For Windows and Mac that requires a jailbreak.
Do locked bootloaders illegally, but unrepentant limit consumer choice. Undeniably, but they still can't sue you under the DMCA for a jailbreak.
Or an example from this forum. If our proprietary electron program botches their testing we can still patch electron without any license problems.

Hardasses are important they remind us how we can improve the world, but they're too blinded by their rage to see the the individual value of the incremental improvements.

I think it's an issue of balance. Taking the SystemD example, when is it that the community draws the line ? Personally, the comically-fast and instant compliance with age verification fiasco a month or two ago was it for ne. I'm sort of coerced to continue to use SystemD currently, even though that was the final straw for me and I'd rather use something else now.

So it's like a continuous battle to balance out the hardass-ness with the complacency. I tend to lean more on the former (even though I don't at all feel like I'm doing a lot of work in doing so, it just seems to me everyone else is so lazy and quick to sideline what they claim to believe in). But as long as the right people don't go all the way and they don't lose the plot, you're right in that fighting back is possible.

Also, about regulations being a necessity etc etc, I get it. But I really won't play along if any countermeasure gets implemented ends up chipping away at one of the rights that were once given, that's in brief my angle on all that 'the system is important, actually'.

The community doesn't draw lines or circles.
Everybody makes their own choices, which is why we need these hardasses and early adopters. We need these people to test the waters and show how the world could look like.
Other less hardass people use that information to judge their own stance.

On the "it costs me little effort" thing. As a technical person you're probably familiar with the phrase, "but it works on my system". With the retard: "we're not shipping your system".
Remember that people are different in many ways. Things that are easy for you can be hard for others.
A good sobering measure could be measuring how often you either open the terminal or are configuring a translation layer.

On the rights thing.
What are those rights according to you?
Anonymity, clear.
Decentralization, clear.
The ability to easily spend and hold large amount of assets? Unclear.
Speedy transactions. Unclear.
etc.

One big thing I personally have an issue with is being able to spend X amount of money however I like. Sometimes sending funds to a family member or even my own self through another bank account in my name and the transaction gets picked up by the bank's shitty and probably AI based AML system and now my funds, depending on the bank, could be frozen for up to 24 hours. So the freedom to transact however the hell I want and to whomever I want (without Visa dictating if they're cool or not with the product you're buying). The banking system in this regard is atrocious. So that's in UK banks. Locally, I also have an issue with banks being unreliable in general in online shopping (would rather not share which country) but recently the Central Bank itself got hacked and terabytes worth of database were put up for sale, so I guess that's another thing to add.

What about speedy transactions.
X=X^2+C spending, where X is the amount of money spend in the current Y blocks and C is a constant.

Edit:
On the hackability of confidential info.
You're going to be so dissapointed if you follow my scumbag links.
Someone found a way to publicly trace individual transactions, while they're still in an incomplete block.
Building a non-hackable system is a great ambition and cryptography is the strongest tool we possess for that, but I think you're putting a little too much faith in it.

Fast transactions are of course nice. Admittedly this is something I'd like Monero to improve in, currently it's 10 blocks or about 20 minutes until any received funds can be spendable, they show up on your wallet instantly but you can only use them after the aforementioned block confirmations. Apparently academics found it's possible in the future to develop 0conf, so funds are useable instantly, but it sounds like that's something more far ahead for now.

Someone found a way to publicly trace individual transactions, while they're still in an incomplete block.

Can you be more specific here ? Haven't heard about this.

View this comment - View article - View full comments - Report this comment

I'll hold back on AUR package updates on my Garuda box for the time being until they've fixed this issue.

Not sure if I have any of the packages that have bee compromised but I'd rather just be careful.

View this comment - View article - View full comments - Report this comment

A compromised npm.
That's meta.
Npm itself suffers greatly from malicious package inserts.(they suffer from an install process with too much power and insufficient credentials protection)

View this comment - View article - View full comments - Report this comment

AUR does not have package checks by definition, it puts that weight on the user.

As I always say, I have been using Arch as my main distro for 10+ years, and despite that (maybe because of that) I never recommend Arch!

View this comment - View article - View full comments - Report this comment

Quoting: ROllerozxa

Quoting: mattaraxiaSo it *does* run on the system as a hook, not in the build step?

Does it add npm as a dependency to the package then?

Yeah the ones I saw also added npm as a dependency to the package, which can be a red flag depending on what the package is about. If one is just using an AUR helper or does `makepkg -si` the difference isn't really whether it happens during build time or install time as the two happen at the same time, but there's a big difference in the privileges that the two run at.

Then I also heard that the payload in the npm package itself apparently installs an eBPF kernel module if it is running as root to disguise itself ([link to analysis someone has made of the malware](https://ioctl.fail/preliminary-analysis-of-aur-malware/)), so it does not seem to be a coincidence they did it like that.

Well that is so much worse. This may be one of the worst Linux malware campaigns I've ever seen that wasn't targeting specific enterprises, will catch a lot of, probably mostly, desktop users. I mean the apple-music-desktop package is in the list. All kinds of things like that.

I wonder if it will dent all the momentum Arch has right now.

View this comment - View article - View full comments - Report this comment

Quoting: Cley_FayeFor added fun, I had the game installed. So it is still installed, but can't be uninstalled, and can't be played. I just have a greyed out "install" button.

Nooooot great.

The solution to this:

-Right-click Cave Story+ in your Steam library and select "Properties".
-In the left menu, Select "Installed Files", then click "Browse...".
-Go up one directory level to ".../SteamLibrary/steamapps/common/" and delete the "Cave Story+" directory.
-Close and restart Steam, and now the game should show an "Update" button which will allow you to install the new version.

View this comment - View article - View full comments - Report this comment

Quoting: Pyrate

Quoting: LoudTechie

Quoting: Pyrate

Quoting: LoudTechie

Quoting: Pyrate

Quoting: tuubiI view people who get very passionate about crypto the same way I view enthusiastic small-time stock traders. They keep talking my ear off about how they make (or save) money with it and everyone should do it, and I indulge them to a point because I'm nice and patient like that (in real life more than online), but I just don't find any of it interesting. Money is a necessity and I've never been wealthy enough to ignore it. It's just not something I could ever get passionate about.

Im sorry, but point to me where I did this here, where did I talk about making or saving money, market price, hype and all that wall street crap ?

Monero would protect my financial activity from heavily regulated banks and my government, which I'm a lot less concerned about. Some communities have excellent reasons to hide this activity, but most of us do not.

Only if you choose to. You can disclose your transactions for taxes or any other reason. I could explain how it works but I'm getting fed up with still being talked to like a crypto bro, I'll just share that optional transparency is a built-in function into a Monero wallet for auditing and taxes etc.

I'm not paranoid and this isn't about paranoia. Speaking for myself for example, I recognise what is a real and what is a more theoretical danger when I'm constructing my threat model, but most of the time, I use privacy tools out of principle more than out of immediate need. This is something I feel is lost for many people recently, at least that's what I'm getting online. Recently I keep recalling that one Luke Smith youtube video about in projects like Linux, how users are slowly abandoning the freedom hard lines started with Free Software and GNU etc. I think we need more hardasses, the Stallman type, so we don't drift away in convenience and complacency.

On the hyped up cryptobro part.
You're not being treated like a cryptobro. You're experiencing something even more frustrating:
"I've nothing to hide."
A cryptobro would get fundamental disbelief in the promises they make, not in their value.
"crypto is decentralized": except for all the exit scams.
"crypto is the future": except for all the exit scams.
"crypto can do anything": you don't know what you're talking about.
"crypto ...": I'm done hearing about these scams.

As to why this is frustrating,
a. because it devalues other people's needs.
b. because it undercounts one's reliance on fundamental rights.
To say it with a quote I got from schneiers website, but attributed to someone else.
Saying you don't need privacy, because you've nothing to hide is like saying you don't need free speech, because you have nothing to say.

About the complacency part.
I disagree kinda.
Users are going to the centralized semi-free options, because they come from fully proprietary systems and are used to thinking that way and have become to love the strengths of the existing systems.
In general it's going in the right direction.
Just not in the jumps hardliners and early adopters believe in.

Also even a little extra freedom helps a lot.
If Redhat sufficiently fucks up systemD we can fork it with a patch. Would this be a lot of work, yes. Would this be less work than the entire Wine project(which tackles the Windows equivalent) easily, because we have the source code.
Do proprietary kernel modules render your system less free and give root to dangerous parties, absolutely. Still I can patch the interface to limit their power and repair their mistakes For Windows and Mac that requires a jailbreak.
Do locked bootloaders illegally, but unrepentant limit consumer choice. Undeniably, but they still can't sue you under the DMCA for a jailbreak.
Or an example from this forum. If our proprietary electron program botches their testing we can still patch electron without any license problems.

Hardasses are important they remind us how we can improve the world, but they're too blinded by their rage to see the the individual value of the incremental improvements.

I think it's an issue of balance. Taking the SystemD example, when is it that the community draws the line ? Personally, the comically-fast and instant compliance with age verification fiasco a month or two ago was it for ne. I'm sort of coerced to continue to use SystemD currently, even though that was the final straw for me and I'd rather use something else now.

So it's like a continuous battle to balance out the hardass-ness with the complacency. I tend to lean more on the former (even though I don't at all feel like I'm doing a lot of work in doing so, it just seems to me everyone else is so lazy and quick to sideline what they claim to believe in). But as long as the right people don't go all the way and they don't lose the plot, you're right in that fighting back is possible.

Also, about regulations being a necessity etc etc, I get it. But I really won't play along if any countermeasure gets implemented ends up chipping away at one of the rights that were once given, that's in brief my angle on all that 'the system is important, actually'.

The community doesn't draw lines or circles.
Everybody makes their own choices, which is why we need these hardasses and early adopters. We need these people to test the waters and show how the world could look like.
Other less hardass people use that information to judge their own stance.

On the "it costs me little effort" thing. As a technical person you're probably familiar with the phrase, "but it works on my system". With the retard: "we're not shipping your system".
Remember that people are different in many ways. Things that are easy for you can be hard for others.
A good sobering measure could be measuring how often you either open the terminal or are configuring a translation layer.

On the rights thing.
What are those rights according to you?
Anonymity, clear.
Decentralization, clear.
The ability to easily spend and hold large amount of assets? Unclear.
Speedy transactions. Unclear.
etc.

One big thing I personally have an issue with is being able to spend X amount of money however I like. Sometimes sending funds to a family member or even my own self through another bank account in my name and the transaction gets picked up by the bank's shitty and probably AI based AML system and now my funds, depending on the bank, could be frozen for up to 24 hours. So the freedom to transact however the hell I want and to whomever I want (without Visa dictating if they're cool or not with the product you're buying). The banking system in this regard is atrocious. So that's in UK banks. Locally, I also have an issue with banks being unreliable in general in online shopping (would rather not share which country) but recently the Central Bank itself got hacked and terabytes worth of database were put up for sale, so I guess that's another thing to add.

What about speedy transactions.
Z=X^2+C spending, where X is the amount of money spend in the latest Y blocks, C is a constant and Z is the amount of money you can spend this block.

Edit:
On the hackability of confidential info.
You're going to be so dissapointed if you follow my scumbag links.
Someone found a way to publicly trace individual transactions, while they're still in an incomplete block.
Building a non-hackable system is a great ambition and cryptography is the strongest tool we possess for that, but I think you're putting a little too much faith in it.

View this comment - View article - View full comments - Report this comment

the Arch Linux AUR (Arch User Repository) needs some better security and package checks […] for some improvements to the packaging processes to prevent this from happening in future.

Well, there is no check at all currently. The AUR is just a way for user to share what they use personnally, it shouldn’t be trusted.

People that use AUR recipes without checking them before can only be angry against themself, it’s like getting a random script on GitHub and running it blindly…

Of course, cleaning the AUR as it’s going now is a good thing, but Arch could simply close the AUR and ask people to share their PKGBUILDs elsewhere instead.

View this comment - View article - View full comments - Report this comment

Quoting: LoudTechie

Quoting: Pyrate

Quoting: LoudTechie

Quoting: Pyrate

Quoting: tuubiI view people who get very passionate about crypto the same way I view enthusiastic small-time stock traders. They keep talking my ear off about how they make (or save) money with it and everyone should do it, and I indulge them to a point because I'm nice and patient like that (in real life more than online), but I just don't find any of it interesting. Money is a necessity and I've never been wealthy enough to ignore it. It's just not something I could ever get passionate about.

Im sorry, but point to me where I did this here, where did I talk about making or saving money, market price, hype and all that wall street crap ?

Monero would protect my financial activity from heavily regulated banks and my government, which I'm a lot less concerned about. Some communities have excellent reasons to hide this activity, but most of us do not.

Only if you choose to. You can disclose your transactions for taxes or any other reason. I could explain how it works but I'm getting fed up with still being talked to like a crypto bro, I'll just share that optional transparency is a built-in function into a Monero wallet for auditing and taxes etc.

I'm not paranoid and this isn't about paranoia. Speaking for myself for example, I recognise what is a real and what is a more theoretical danger when I'm constructing my threat model, but most of the time, I use privacy tools out of principle more than out of immediate need. This is something I feel is lost for many people recently, at least that's what I'm getting online. Recently I keep recalling that one Luke Smith youtube video about in projects like Linux, how users are slowly abandoning the freedom hard lines started with Free Software and GNU etc. I think we need more hardasses, the Stallman type, so we don't drift away in convenience and complacency.

On the hyped up cryptobro part.
You're not being treated like a cryptobro. You're experiencing something even more frustrating:
"I've nothing to hide."
A cryptobro would get fundamental disbelief in the promises they make, not in their value.
"crypto is decentralized": except for all the exit scams.
"crypto is the future": except for all the exit scams.
"crypto can do anything": you don't know what you're talking about.
"crypto ...": I'm done hearing about these scams.

As to why this is frustrating,
a. because it devalues other people's needs.
b. because it undercounts one's reliance on fundamental rights.
To say it with a quote I got from schneiers website, but attributed to someone else.
Saying you don't need privacy, because you've nothing to hide is like saying you don't need free speech, because you have nothing to say.

About the complacency part.
I disagree kinda.
Users are going to the centralized semi-free options, because they come from fully proprietary systems and are used to thinking that way and have become to love the strengths of the existing systems.
In general it's going in the right direction.
Just not in the jumps hardliners and early adopters believe in.

Also even a little extra freedom helps a lot.
If Redhat sufficiently fucks up systemD we can fork it with a patch. Would this be a lot of work, yes. Would this be less work than the entire Wine project(which tackles the Windows equivalent) easily, because we have the source code.
Do proprietary kernel modules render your system less free and give root to dangerous parties, absolutely. Still I can patch the interface to limit their power and repair their mistakes For Windows and Mac that requires a jailbreak.
Do locked bootloaders illegally, but unrepentant limit consumer choice. Undeniably, but they still can't sue you under the DMCA for a jailbreak.
Or an example from this forum. If our proprietary electron program botches their testing we can still patch electron without any license problems.

Hardasses are important they remind us how we can improve the world, but they're too blinded by their rage to see the the individual value of the incremental improvements.

I think it's an issue of balance. Taking the SystemD example, when is it that the community draws the line ? Personally, the comically-fast and instant compliance with age verification fiasco a month or two ago was it for ne. I'm sort of coerced to continue to use SystemD currently, even though that was the final straw for me and I'd rather use something else now.

So it's like a continuous battle to balance out the hardass-ness with the complacency. I tend to lean more on the former (even though I don't at all feel like I'm doing a lot of work in doing so, it just seems to me everyone else is so lazy and quick to sideline what they claim to believe in). But as long as the right people don't go all the way and they don't lose the plot, you're right in that fighting back is possible.

Also, about regulations being a necessity etc etc, I get it. But I really won't play along if any countermeasure gets implemented ends up chipping away at one of the rights that were once given, that's in brief my angle on all that 'the system is important, actually'.

The community doesn't draw lines or circles.
Everybody makes their own choices, which is why we need these hardasses and early adopters. We need these people to test the waters and show how the world could look like.
Other less hardass people use that information to judge their own stance.

On the "it costs me little effort" thing. As a technical person you're probably familiar with the phrase, "but it works on my system". With the retard: "we're not shipping your system".
Remember that people are different in many ways. Things that are easy for you can be hard for others.
A good sobering measure could be measuring how often you either open the terminal or are configuring a translation layer.

On the rights thing.
What are those rights according to you?
Anonymity, clear.
Decentralization, clear.
The ability to easily spend and hold large amount of assets? Unclear.
Speedy transactions. Unclear.
etc.

One big thing I personally have an issue with is being able to spend X amount of money however I like. Sometimes sending funds to a family member or even my own self through another bank account in my name and the transaction gets picked up by the bank's shitty and probably AI based AML system and now my funds, depending on the bank, could be frozen for up to 24 hours. So the freedom to transact however the hell I want and to whomever I want (without Visa dictating if theyre cool or not with the product you're buying). The banking system in this regard is atrocious. So that's in UK banks. Locally, I also have an issue with banks being unreliable in general in online shopping (would rather not share which country) but recently the Central Bank itself got hacked and terabytes worth of database were put up for sale, so I guess that's another thing to add.

View this comment - View article - View full comments - Report this comment

Quoting: Pyrate

Quoting: LoudTechie

Quoting: tuubi

Quoting: Pyrate

Quoting: tuubiI view people who get very passionate about crypto the same way I view enthusiastic small-time stock traders. They keep talking my ear off about how they make (or save) money with it and everyone should do it, and I indulge them to a point because I'm nice and patient like that (in real life more than online), but I just don't find any of it interesting. Money is a necessity and I've never been wealthy enough to ignore it. It's just not something I could ever get passionate about.

Im sorry, but point to me where I did this here, where did I talk about making or saving money, market price, hype and all that wall street crap ?

I know, you come from a different angle. My example was mostly about the traders. But both groups (and I'm not talking about you, specifically) want to talk to me about money/currency, or how I'm using it wrong, or maybe how I should use this or that tech to get around the system.

Sorry that I kinda grouped you in with the cryptobros. In my defence, you compared me to Windows and WhatsApp users, which is way worse in my opinion. 😁

Quoting: Pyrate

Monero would protect my financial activity from heavily regulated banks and my government, which I'm a lot less concerned about. Some communities have excellent reasons to hide this activity, but most of us do not.

Only if you choose to. You can disclose your transactions for taxes or any other reason. I could explain how it works but I'm getting fed up with still being talked to like a crypto bro, I'll just share that optional transparency is a built-in function into a Monero wallet for auditing and taxes etc.

Yes, but this is a solution looking for a problem, or rather a solution to someone else's problem, as far as I can tell. And this isn't a disagreement you can fix by explaining. It's not intellectual laziness or lack of understanding on my part, and even less about giving up privacy for convenience. I wouldn't have been using Linux for ~25 years if that was the case, and I'd probably have owned an Android or Apple mobile device at some point. Or caved in and got on WhatsApp or LinkedIn or whatever social media I've been cajoled to join over the years. As I said, I like my privacy, but not everything privacy-related is equal in importance.

I don't mind that Monero exists, but if it's ever accepted as a mainstream currency, its use needs to be regulated and monitored, losing many of its apparent benefits.

Quoting: Pyrate

Quoting: LoudTechiealso relevant to this discussion.
Valve will never accept monero, because it's anonymous and decentralized.
The scammers for which they sacrificed their own gift cards would exploit exactly this decentralization and anonymity to hide their activity.

Even though I can't imagine how that could happen, (just like how I cant believe peoole sfill fall for gift card scams), you're probably right. I wonder when this stops being about a problem with gift cards and currencies, and more about people not thinking clearly when falling for these scams.

People will always fall for scams. That's not a problem that'll ever go away. Which is why we need governments, laws and regulations to protect the vulnerable. Of course governments do that with varying success and enthusiasm, but that's a political and social problem that doesn't have a technical solution.

On the anonymity thing
Anonymity from the bank is still achieved.
Only the regulator gets access to this information this way.

Also anonymity is valuable for everybody, because its a big part of our shield against oppression. In transactions and in communications. It's all the same.
Nothing to hide is a myth(kinda).
In this case for example you wouldn't be comfortable sharing your transaction details with me(don't do it please) proving there's at one person you want to hide this data from.
You don't know [who ](https://unbanx.substack.com/p/banks-are-selling-your-data-heres)your bank is sharing it with(maybe I'm it) or [what](https://artoftruth.org/data-broker-stalking-spokeo-harassment/) they're using it for.
Also anonymity is a herd immunity thing. Only when we're anonymous together are we truly anonymous(simplest case, when I know Monero has only one payer and one payed all transactions can easily be traced).

On the regulation thing.
I disagree that finance needs to be regulated on the current level.
It needs to be limited on the current level.
If crypto wants to succeed it must find a way to implement the currently centralized controls in a decentralized manner.
So not by sacrificing transaction anonymity, so the centralized police and banks can take care of it.
No by, building those controls in the system itself.
First start by copying the features of a good banking app.
MFA, double naming, transaction tagging, daily limits, blacklists, geoblocking, etc.
From that moment it can at least call itself a real decentralized alternative to banks.
If it wants to become an alternative to financial regulators.
It needs to obtain dedicated Big Fish controls, trusted judgement, sanctions, white listing, public minting, etc.

So contrary to you I believe Monero like crypto has great potential. Contrary to Pyrate I think it's not there yet.

I simply no longer take "I have nothing to hide" people seriously. Maybe in time they'll realise how naive a statement that is.

Yeah you seem to have a low view of the naive.
I think naivety is a great good.
It's trust the glue of our society.
People assume that it will be alright and don't look in that direction, because someone they trust handles the issue.
They believe they've nothing to hide, because they believe the things they want hidden are already hidden.
I'm simply a security engineer. It's my passion to patch the distance between trust and trustworthiness with cold hard logic, so society can get used to an even more trustworthy world.

Edit:
In a way the naive are just like the hardasses they show us how our society should be.

View this comment - View article - View full comments - Report this comment

Quoting: mattaraxiaSo it *does* run on the system as a hook, not in the build step?

Does it add npm as a dependency to the package then?

Yeah the ones I saw also added npm as a dependency to the package, which can be a red flag depending on what the package is about. If one is just using an AUR helper or does `makepkg -si` the difference isn't really whether it happens during build time or install time as the two happen at the same time, but there's a big difference in the privileges that the two run at.

Then I also heard that the payload in the npm package itself apparently installs an eBPF kernel module if it is running as root to disguise itself ([link to analysis someone has made of the malware](https://ioctl.fail/preliminary-analysis-of-aur-malware/)), so it does not seem to be a coincidence they did it like that.

View this comment - View article - View full comments - Report this comment