 all right it is five o'clock it's time for me to pass this mic on to SGP who will be passing it on to these guys this is the this is the panel with all of these guys we've got let's go let's just go ahead and introduce everybody real quick okay awesome so welcome everyone we are just having a very informal panel here with many of these lovely participants I'll give them all a chance to introduce themselves and there will be plenty of time for audience questions because we have a full hour so if you didn't see me earlier today I'm Justin I'm just going to be leading a casual discussion here so hold your hand up with questions as we have time later and my handle is SGP or Samsung Galaxy player and no I'm not sponsored by Samsung all right we'll pass the mic down My name is Ananimal. What about English? They call me Ananimal but my name is Ananimal. Eat the mic. Hi everyone I'm Ricardo, Ricardo Spani. You may know me as Fluffy Bernie. I feel like I said that already today. My name is Shamik. I'm on the security team at Coinbase. Names Paul. Names Paul. You might know me by endogenic or tweeting Paul S. It's not really clear if it's plural or just singular in my last name. Awesome and perfect so Ananimal you can keep the mic so I know you spent the last several hours talking about Covri and what privacy means to you but I think it's a good opening question to sort of go down the line if you since you already gave a two-hour talk about privacy if you could just give a 30-second one here but just what does privacy mean to you and why do you feel like what projects are doing with Monero to help further that and if that's a not applicable question what is privacy to you? Well I don't believe there's such thing as privacy. I think what we're doing is attempting to achieve the impossible but it's not really impossible yet because we haven't proven that. If anyone was here for the first part of the talk they would know exactly what I'm talking about so why am I doing this? I'm attempting to emulate hack an emulation of bringing two points of space-time into one while still retaining the same qualities. I mean really that's what it comes down to why because I think that's the essence of love and essentially that's what we're expressing but you know think of all the name-calling you've been called just because you use the software and then you can just laugh then saying no I'm just I just want to join two points of space-time together into one and what does it mean for Monero? Just what do you see you're working on Colvery? Do you want to take a second to talk about Colvery? Oh well okay so Colvery well do you want the textbook definition? The quick definition. Oh so okay so when you use Monero when you use basically anything you have an origin IP address if you're using the internet right essentially unless you're using an overlaid network which anonymizes your location of your address and that's what Colvery will do essentially completing the I don't know is it a cycle or circle of the Monero project goal to have this truly decentralized trustless functionally private software and community so you can have really actually anonymized transactions. Perfect yeah thanks a lot if you can pass the mic down we can continue their privacy discussions. I think from my perspective privacy I'm eating the mic sorry I think privacy is a basic human right or it should be a basic human right and that's not to say that I am anti law enforcement I you know there are bad people in the world you know there are murderers and stuff and sure no problem law enforcement needs to catch them I just don't think they need to snort up all my data to do so I'm against passive surveillance I think that that's not an objectively good way of enforcing laws and I think that unfortunately what's happened over the past 30 years which is roughly the time period we've had traceable money is law enforcement has gotten really lazy and what they've decided to do is put the burden of enforcing laws the burden of figuring out who is suspicious they've put that on financial institutions so you know you get a deposit of a certain size and your bank reports you like why is your bank the lawmaker why is your bank the detective who decides that you're suspicious like surely like law enforcement officers should be the ones doing that and and I think that that's what we're trying to achieve with Monero is a is a world that you know we we're not we're not able to solve everything but at least we can try and solve the problem of passive surveillance and force things to go back to the way they were when law enforcement agencies did their job thank you I am surprisingly in agreement with roughly with what you're saying which is working at an exchange means we have to be an enforcer for laws that we don't necessarily get to decide right and so if it's like if we have to give information out about a user to a law enforcement agency it's because we are being forced to we have to do so in order to do business in the U.S. but back to the actual privacy bit it's a basic human expectation right and it's where and how the circumstances in which you're communicating who you're talking to right I talked to my doctor I have an expectation of privacy I talked to a journalist I have no such expectation right and for us particularly in a product team it's how do we make sure that that expectation of privacy carries over to all the different like expectations a user has thank you yeah just from a basic definition standpoint I would say privacy seems to be the option to disclose what you want to disclose so I would say to your point giving that option to the users is exactly what we need to do and you know in all of these technologies there is the interface with the real world and that's where information that gets disclosed really lives so yeah people need to have that kind of option awesome so Paul you can keep the mic for a second I have a quick question for you so you you represent my minare you're the CEO of my minare which is a common web wallet and also recently a an application wallet for minare so what are the can you speak broadly about some of the challenges that you faced developing maintaining these these services for the minare ecosystem yeah totally that's a really good question I think probably the biggest challenge we have right now is keeping up with minare and the reason that that's important primarily is so that all of the usage of people on my minare blends into all of the other minare usage you know so that nothing stands out you know for that purpose we've had to port a lot of the minare cryptography techniques and protocol implementations I mean I wouldn't say that it's so much of a challenge because I enjoy it but I think the other really big thing we work on is making sure that this technology is accessible one of the things Ricardo mentioned earlier was that people just don't know these terms like address and view key and so understanding what those things mean in real life in real usage and translating that is definitely a big task so how do you approach finding out what's usable to everyday people do you have like test groups how do you consult to figure out what is a streamlined experience for people right no yeah that's exactly it so there are official and unofficial test groups you know official in the sense that like there are people that I regularly talk to about this stuff and they give me all kinds of feedback and we work on next versions and things like that but the other thing is I really enjoy talking to people about just how they use Monero in general and listening to the sticking points or how people design services that use Monero or built on top of Monero and where the technology you know it needs to be massaged basically like for example recently someone was working on a way to include order details in a transaction and you know figuring out exactly the right way to do that you know definitely requires analysis of the technology perfect so thank you I think we can move on to Chimique we have it just a question for you if you want to talk more specifically about Monero let me know but I didn't want to keep putting you on the spot for Monero related questions you can answer why Monero yes we had the question earlier today with one of your co-workers but I'm curious Coinbase has gone through a series of different approaches to two-step authentication for its applications if I remember correctly they previously or you previously had in a partnership with Authy and then that was dropped for it in favor of other systems so can you speak to the difficulties related to user security actually logging into these accounts and also specifically talk about how two factors kind of an important role in that I think the important thing to do here first is establish what a Coinbase user looks like one of our goals as an exchange is to make cryptocurrency available as like an on-ramp right we want people who otherwise would never interact with crypto or crypto like systems to be able to buy sell hold trade send off platform just interact with crypto in any sort of way with that comes with no expectation of any kind of savviness with regard to their user account user security right there's no way we can make sure this user has like a safe email address for example or that they haven't reused passwords in places right or they haven't even done something as simple as keep their TOTP seed as a screenshot in their sent drive in there in their email so at one point like you lose the email address you lose the TOTP seed so with that said part of the work that we do is we try to find two FA methods that are a usable by most users right it's on their device or it's available to them to use the to the browser what have you and then it's actually like they'll interact with it one of the most interesting pieces of individual feedback I've gotten for the user is asking why do we do device verification emails can't you tell it's just me right and well no we can't which is why we have to do device verification so for us we're saying how difficult can we make it for an attacker while still making it trivial for a user there is a world where you could imagine even Coinbase branded hardware that just does 2FA for you right however we want to implement it on the other side but that's like a far out world someplace that we'd love to get to awesome I have a tough question for you Ricardo that's all right this is a lot of good this is in relation to tarry so you are the co-founder of tarry in the past you have been very vocal against a lot of the ICO and essentially a lot of the problems that was created in the Ethereum ecosystem that was perpetuated by hype perpetuated by people being able to make these digital assets for the sake of essentially spreading hype and gathering money so I'm curious with tarry can you speak to how tarry itself is which enables this sort of activity on the Monero platform and essentially brings this sort of ICO culture closer to the Monero ecosystem how this how you reconcile that and how you are able to well what what how you sort of approach that sort of thought process sure I think the first thing is that I don't have a sort of standing opinion that all ICOs are bad and every ICO that will ever exist will be bad I think that ICOs in general are regulatory from a regulatory perspective on murky I think they're ethically murky I think they're most mostly mishandled and mismanaged and I think they're largely done by people that would be laughed at the door if they went to traditional VC and and that's you know not to say again that every every ICO is bad I think they scope for security tokens I think security tokens are really interesting if you can divvy up your company and instead of issuing shares you issued a security token and that could trade freely on secondary markets that's something that is interesting to me as a way of doing an IPO IPO style organization or public company I think that we are still a while away from understanding what the laws are going to look like around that from having a regulatory framework that encourages good behavior because I mean I see was not decentralized that's there's a central issuer and they've got to comply with laws you know we're not this is not a decentralized technology and I think we need to wait for regulators to see what they do and and from Tari's perspective I mean you know Tari's permission list it's like we have a permission environment where it's like please apply yeah it's a launch your token and we'll decide so you know people are gonna do what they're gonna do and that's not like we can prevent them from doing that I mean someone someone could build a colored coins protocol on Minero tomorrow it wouldn't be a particularly good idea but I mean it could be done so you know someone can do that and launch an ICO using Minero and we wouldn't be able to stop them so I think that the on the one hand there's hope for the future that ICOs will become less murky there's hope that like security tokens will be something that's interesting and and Tari will be ready for that coming wave and on the other hand even if I felt differently and I thought that every ICO was bad I still wouldn't be able to stop them so I'll follow a question of that you so Tari is merge mined with Minero but it's its own separate chain so are you concerned that Tari as a company will be exposed to the liability of potentially being able to change consensus on that chain in order to manipulate these sort of ICOs in the platform are you concerned about any sort of liability that Tari would have there I don't think so I mean that the organizational structure is I mean we own the Tari.com domain and the Tari Twitter handle and that but the organizational structure is ready Tari labs and and that's the that's the cool thing that that we've created and Tari labs is an organization that has employees and is employing more people in Johannesburg in South Africa and they will be working they are working already on some of the stuff that the learning curve ready to allow them to build Tari but they're not going to be building an isolation they're going to be contributing to Tari and they're going to be contributing to Minero so you know they're like the organization itself is just an organization that contributes to an open source protocol. Cool thanks okay now let's go to an animal. So in previous conversations that we've had you've expressed that Covery is not it's not just meant for the I2P ecosystem it's meant to be at its core an anonymizing router. Can you speak to in the future Covery's connections with I2P and what other sort of technologies that you're considering perhaps even if it's several years down the road using with with Covery. Okay yeah so I want to keep it open-ended because as I discussed earlier this is an ongoing development and we can't get like if ever in jazz you have they're called pet cords right you go to those pet cords where you okay I'm gonna play that f-miner because it's comfortable it's there so no way am I saying anything we do is going to be forever and you know I2P is what it is now but that doesn't mean it's not going to be that later you want to know what other options there's not really many other options at this point there's attempts at options everywhere from but those aren't really anonymizing. GnuNet is one attempt dandelion as I said earlier the Bitcoin's non-solution to anonymity CJDNS Hornet I mentioned Hornet we need more research honestly I mean for every crypto enthusiast you know you're just like you know a 12th of that person is an anonymity developer so I mean it's really minuscule really small amount of people working on this type of technology so we just need more people more interest more physicists mathematicians especially more physicists because this problem is not going away anytime soon did I answer your question? Yeah you did and like unless you had any specific technologies that you were really looking for you mentioned dandelion yeah no no no okay no they try a line on the graph you know like here you're not okay no okay so I'm not joking you go look at the specs it's just okay okay so I'm a student at the University of Minnesota I have spoken to one of the professors there who does Torah research and he said that he previously did some initial look at I2P several years ago the protocol has likely changed significantly since then but according to his own words he said that they did not even bother publishing papers about how insecure it was because it was essentially self-evident and it was very obvious so generally this is like back in this is several years ago so generally for the question for you what general sort of confidence do you have that I2P is a generally rigorous and researched protocol in terms of protecting the anonymity that you would have? Well okay that's a great question have you looked at the specs has anyone here looked at specs done their own research has anyone here looked at the Torah specs done their own Torah research I mean this best they're like the specs where you're laying out the equations yeah see no one's raising their hands because okay we've got a hand back there cool I mean but and then again how many people are knee deep in the code developing this stuff see that number just gets smaller and smaller and smaller so you can you know anyone can say oh look you can throw millions of dollars at research you can throw all kinds of fancy equations out like I'm sorry I'm not going to beat up on dandelion but it looks fantastic on paper until you realize it just doesn't work so I don't know am I even answering the question it's there's really there's no like safe you know oh I feel cuddly feeling the system oh my god this is great I feel perfect I'm so private it's it's essentially yes I mean this is the ultimate DEF CON expression of this is just we're hacking one hack after a hack after a hack after a hack I mean that's like life where we're just trying to get through this and there's no perfect solution sorry man this is a sad but true yeah exactly I'm not high no it's let's open up for questions I well I don't know how this work how yeah you're welcome to a coin based thing you're welcome to ask so just so we get this time recording I have that same I have the same answer to I have about why mineral yes I have a quick I can do that yeah okay so in my talk I forgot to mention okay so like okay oh no one doesn't believe in privacy what the what the heck man so essentially privacy still is I believe to be ill defined and I think what we're trying to define privacy is essentially varied aspects of relative publicity because there's no such thing as being private because you cannot exist while not existing yet at least I have yet to see the proof any math any math anything anything about that I talked about that in the first half of my talk okay so great nothing's private so we can take that out of the reasons why X can't use why next thing a Monero is essentially a language between two points in space time right I'm like you can mean me say like space time you know you'll see that I'll probably do it if you don't aliens yeah exactly so you want to have that private transaction essentially you just want it with that other point in space time so Monero is a language all right these are all languages in which we're expressing now for any X institution to discriminate someone based on language that is flat out discrimination I don't think Coinbase has a real reason or even the government to have any reason to discriminate based on language nor can they I mean this is like a constitutional thing so I wonder I mean with that perspective which is absolutely proven why not Monero yeah what's proven I'm not the person answering this question well I was just gonna say I wanted to buy a whole bunch of stuff on Project Coral Reef and I can't get any Monero you know so that's why I'm an error thank you for saying so that means look at all the suffering children they can't get their Mariah Carey's yes literally so do we want more audience questions yeah we we have a lot of extra time yeah we can't to avoid any more brigading of why Monero's not in Coinbase let's have some additional questions I guess I'll just hand back the mic then so this is kind of a question for everybody here because I mean Tari is kind of open source I guess Coinbase isn't so you can sit tight but you have an opinion on this please do Covery's open source my Monero is well okay you know once again it's kind of open source but I'm a UX person you know and UX is really it's at its core it's all about empathy it's understanding what are people not getting right and why are they not getting it right and what can we do so that way they can get it right you know kind so that that that whole that whole piece of designing for the user and not for yourself and open source technology is just at the absolute worst with this it's filled with developers and so these things work they are functional which is great that's a great first step but they suck to use and this is the case with Bitcoin and this is even exponentially more the case with Monero just because we have these privacy technologies later on top of that like what work is being done on just to keep things user focused and we can always say well they should just read the manual this is you know and I understand we're in the early stages of all these different type of stuff but eventually if we're talking about mass adoption like everyone likes to say we have to start thinking users first every other person's first and you know that's actually one of the things they appreciate about Coinbase that this is one of the things that they really aim for and of course there's pros and cons here and there in achieving this but just like in terms of covering what and you actually touched a little bit about this you know make it so you plug and play and it's in and then you don't have to think about it but like in terms of tari and in terms of my Monero and stuff like I just want to hear everybody's thoughts like what how are we keeping things user centric how are we keeping things user first without sacrificing at all on security and privacy is that even possible because it's in the same one opposite ends of the scale you already answered the the coverage in your in your question. I think from my perspective you're correct in saying that they're trade-offs and so there's all and there always are going to be trade-offs using my Monero is really easy but it's you sacrificing some privacy or sacrificing part of your security model even in order to use that as opposed to running a full node that's not going to change. I think what we can do is we can more effectively communicate to people the differences but I think that even that's largely unnecessary because a more paranoid person will naturally gravitate towards doing their own research figuring out what they should be doing and then running a full node anyway and somebody who just wants to get up and running is going to take the whatever is the lowest the easiest way to get in they're going to use the Edge or my Monero or something that is just like super simple and and I think that the focus that we've had up to now has been on functionality you know it's been on like first make it work and we're starting to get to a point where we can say make it work well and and that is that's definitely something that not only like Atari but I know across the board all of the the wallet manufacturers and and the software companies are interested in improving that user experience. I know Coinbase is interested in improving the user experience but it is it's progressive and it's iterative. It's not going to happen overnight. We you know we we have access to incredible resources. We have the forum funding system. There's all sorts of stuff that we can that we can throw money at if we needed to but you know as a community but I think that it it's largely premature in some respects and I think that there are organizations like my Monero like Edge like Cake Wallet like Monero that are making efforts to improve the user experience without the need for us as a community to go and like try and figure out what the ultimate user experience is. But it will get there. It just has to be iterative because that's the way that good open source software is built and and to one one more thing just to speak to your point is I know that a large a lot of open source software is clunky but there are some really beautiful open source applications out there. So like it's not it's not the method of building that is the problem. I think it's just that sometimes we tend to either not dog food it and we don't use our own applications or we're just not speaking to users enough and there's there's a bit of a a bit of a break between like the people sitting on RSC in Monero Dev on FreeNode and put a brain who has to answer all the questions on Reddit. So adding into that as well one of our successes at Coinbase is being an abstraction forum core crypto interactions that a user has to do right our users like we protect them from a lot of this complexity because they otherwise wouldn't interact with the system at all. And so there is space if you think about defining what your user actually is in open source right who are you building it for. There's a world where your open source developer builds it for like the internal crypto team at Coinbase to use well so that we can then make it available to our users easier right and so those types of abstraction layers and the degrees of complexity as you get further away from what is the core crypto operation is where you get better and better UX you just focus a bit more on different pieces. So I agree with Ricardo about open source not being implicitly antagonistic to good user experience. I think it's just that well it's a few different things. So first of all I want to mention I had this teacher back in the day who said that get the tool for you know it's used on Linux and yeah version control. It's not learner friendly but it's very user friendly. And so there's a steep learning curve but once you get there it's extremely easy to use and I found to a certain degree the same thing about the Monero CLI program. I think it's actually quite well designed but I think that the reason it's able to be so well designed is that it's relatively straightforward to build something like that simply because you're just relaying the specific data content that the user needs to interact with. Whereas with something like a GUI I think that the phenomenon of design by committee tends to come in a little bit more because there are all these different ways you could do it and exactly for the reason that there isn't as much interfacing with the user and you know all that like feedback that you get from that that the exact use cases aren't made clear first of all. Awesome. Thank you. Your question Diego. I have strong opinions on this since I've been writing soft security software for like 30 years. Your basic question is why isn't the application easy to use while not losing any privacy. And this is actually a question that the entire computing industry still hasn't solved. You look at a web browser and freaking HTTPS support. Everybody here probably uses that but as soon as you go to a website with a certificate you've never seen before you get this little dialogue box probably everybody just clicks OK. All right. So the fact is we don't have any working examples of good security with good usability. They don't exist. And it's an ongoing problem. It's unsolved in the entire industry. Thank you. Go ahead power cycle. Okay. For corn base. And this may not be directly to your department but since you're here. So about like the world police thing and policing what people transact. I've heard many stories of where people were sending money to maybe a darkneck market or some sort of address and have their coin base account just freeze and locked. First question is do you publish the list of blacklisted addresses so that someone doesn't accidentally send their money and get their account locked. And two if you don't why not pop up a little like warning to say like hey you may be transacting and you know what they do and they're locked in. So I don't know how much of this I can actually answer. We don't publish the list of blacklisted addresses. A lot of this is we don't it's retroactive. We don't know until law enforcement comes and tells us and then we have to start cleaning things up. Now even in that circumstance I don't know how much we're just able to then publish what we've been given and told to clean up from. With that said I would love to give a little pop up to say are you sure you want to send this transaction. But I'm pretty sure our growth people would tell me not to. Okay just so we I'm going to repeat the question just to make sure it's recorded. So the question was if there is a situation where you already have the addresses why don't you let them know that this this behavior would be flared. Part of that is just implementation wise right. Another thing is some of these addresses that are being locked are also the scam addresses that you see on Twitter. And it's it's we all kind of yeah it's all over the place so it's some of it is protective right. We locked the account because hey you obviously don't know that you shouldn't send fake Elon must 10 ETH with the hope of getting like 50 ETH back right. And so it's it's kind of a catch-all system right now it's just implementation wise. Some of this is we'd love to explore it and see how much we're allowed to do that versus you know we could publish that's a scam address. Don't ever send ETH there right. For the law enforcement related stuff I'm not sure where our opportunities are. All right so we have a question over there. So going back to what you were saying earlier about the number of people that have actually gotten into the I2P spec and the implementation and really yard me deep in the code. There's been a lot of there's a there's a big riff between like I2PD and Covery and do you think that is worth reconciling and trying to trying to get that in a more amicable situation where cross contributions are able to be made and if so how would you see that happening? We're waiting for the mic to come back. Okay well first I would ask how do you define reconcile but Rick has to say something. So I was there like right at the beginning when the rift happened and it's like I have I have mad respect for anyone who's working on privacy software but the dude working on it like up didn't disappear for a long period of time multiple months and we were just like left hanging and so we continued the work on I2PD but in our own fork and the people that were left hanging in channel going well I have no idea what's going on they continued the work on that fork and when he suddenly pitched up he lost his mind because we hadn't done things his way and you know I mean my concern with reconciliation is it's all it's all fine to like try and reconcile that you know heal the divide and all that we can all sync them by yeah but what happens when he ups and leaves again and unfortunately just the structure of that project is it's a benevolent dictator it's not community driven and he's not very benevolent as far as dictators go I just I don't having been there I just don't see value in trying to trying to solve that we have a really good working relationship with the rest of the I2P developers we go to CCC as often as we can we go to we sit with I2P guys at CCC we figure out ways that we can we can work with them from a protocol perspective and I think that's that's we're doing like the best that we can do in terms of interacting with I2P the organization and making sure we stick to specs and future specs that they might my publish until such time as we find a bit of technology okay let's say you and I are collaborating on something right and let's say I'm a malicious person like in an attitude demeanor I I'm immature I call you names you know whatever you brush it off and then you get to the code and then you realize this code I'm giving you it's also malicious I mean it's pure shit it's literally either either I am so incompetent that I honestly don't know what I'm doing or I'm actually pretending to do this so I can watermark routers and essentially you know because you know memory is of course you know it's just memories always initialized right no such thing okay so so you do that you do it over and over again you do you try over and over again and nothing changes so I ask you what would you do do you do you find a healthy and extremely intelligent capable community to collaborate with or do you keep using malicious code with the malicious person it just I don't understand what's to reconcile I don't understand I mean personally it's it all comes down to the code in my opinion okay so I have a follow-up question with with Ricardo can you speak a little bit more broadly with in the narrow ecosystem I know I'm aware of several situations where we've had contributors that did not work well with the culture of narrow can you speak to sort of the same similar situation where you have someone who might be gifted in code but just doesn't have the sort of culture to work with them narrow team we're talking about fire eyes now I didn't say that I only implied that we're talking about people that may or may not you know I mean like like there's a way of doing things in the manner of amongst the manner of developers and these the things that we do are not difficult hang out an RSE as often as you can we have relays you know through matrix slack discord so you don't have to use IRC even and there are tons of developers that don't but like you know communicate so that you'll just be there so that you can see when like people are picking stuff up I think that's a pretty important tenant and then when you submit code just you know you're submitting it to the manero project under the conditions and licenses the manero project users you cannot write your own license and attach it to a PR and and then when all of these things aren't working and you're not communicating with people and people are asking you please come communicate with us then don't rage quit you know I mean I think I think these are three basic things that most menero contributors are happy to do and and I mean we have we've had nearly 500 people contribute to manero over the past four and a bit years we've had one problem child I think that speaks to to the the way the developers work with each other and don't get me wrong there are many frustrating things there are people waiting for me to merge PR they've been waiting this whole week you know like there are people that get irritated with me there are people that get irritated we get irritated with each other there are people that get irritated with the with things how it says and you know I mean all the time but I think we all have a mutual respect for each other and and it is extreme and you have to really go off the rails to break that respect down to the point where no one actually cares if you walk away I mean you have to you have to be a problem child of notes where like that that respect for that person from a technical perspective is gone and that's that's what ended up happening there you know I mean like we we really tried I had many conversations where I was like you know I I don't think you're a person who's trying to harm an arrow what can we do to try and like fix things and how can we work together and please can you not attach your own licenses to pull requests it's bizarre and and eventually it's just just you know it it's not you it's me clearly and and that's sort of you know where things ended up on and and he's now working on RIO whatever it's called and they like you know he backported a puller fix for wallet caching bug and that's nice and you know like like they're gonna obviously backport things that we do and I think that that's probably the best that we're going to get in terms of a development relationship because he just is an impossible person to deal with cool the question yeah oh I was I was about to there's the other point where that said issue that you explained was posted on github rather than the vrp for the alleged reason that the vrp is insufficient for dealing with no we have we have a vulnerability response program we use hacker one we've used it for for some time now hacker one works surprisingly well it's not difficult to use everyone that discloses issues to the mirror project uses hacker one and I think that you know where there are exceptions like Cisco talus found an issue and they posted up and get up there like who do we report this to because clearly reading security dot txt is too difficult and and we pointed them in the right direction we showed them where the the GPG keys were they were able to send us stuff it was out of band it wasn't through the the vrp so we don't have a problem with like people reporting things outside of the vrp as long as they do so using the responsible some sort of responsible disclosure and that's kind of what you can hope for and when someone just like almost purposely and maliciously goes and like takes things and publishes them out in the open without going through the responsible disclosure stuff that we all know we really should be doing if you're even vaguely interested in security then it's disruptive for the project as a whole and I think you know we we use the the collaborative code construction contract that zero Q divided that the Peter Hitchens put a lot of work in into before he passed away and the collaborative code construction contract is is not a it's not like a code of conduct it's just like hey if you're gonna work in the project this is how it's administered and these are some basic things and it really like it makes it super difficult to take action against anyone because it's like this is the absolute last resort is that you actually block someone's access to to submitting code to the project and we didn't even get there you know we put up with a lot of stuff before we even get to the point where as as people have access to like collaborative status in the GitHub repo that we'd actually take action and try and bar somebody from from what they're doing we're not there yet but you know maybe it'll get there one day so I have a question we can pass it to Shamik so I know Coinbase uses hacker one also for responsible disclosure can you speak a little bit about how that has either ways that it is simplified the process do people generally report things and has it worked out well for a Coinbase so like any public bug bounty program with December awards we get a strong mixture of terrible terrible just non-bugs things like you know we can your rate limits are bad we're like your your the requests are within the number of rate limit and so forth we also get some like very high quality bugs and it's just a matter of that's that's what we have to deal with in order to get through it for us what helps here is every security vulnerability disclosure always goes through the same pipe and we have our internal policy and program to actually deal with it and in like a reasonable time frame and so giving our support agents for example a place where they can say if this is a real ball and it looks like one send it over there plus we do also get some product feedback and we get a 10 I'd say once a quarter we get somebody reaching out to us thinking we are Bitcoin and proposing you know sending bips our direction that way we have to let them down they tend not to understand so it's it's public right other many people can interact with it if you open a door like that many people are going to walk through awesome and can you speak to some of the fallouts or difficulties that you've had with the hacker one system has has there been a case where people who have responsibly disclosed code with hacker one have explained or have expressed just like a disappointment with how this is how Coinbase handled the issue and sort of the process that you have for handling the issues on hacker one yeah some of this is as a person doing a disclosure for a very complex piece of software you don't see the same things that we see and so we have people who are doing just pure old-fashioned ACH fraud thinking that they've been they found some new like class of vulnerabilities that's affecting Coinbase and when we say like that's not how the system works it's a lot of like you need to understand how these payment systems work to understand whether or not you are explaining vulnerability they don't get it right and for them it's like why is Coinbase who is a large brand not giving me like this money in some particular cases we've had somebody come back in 30 to 60 days be like hey my accounts locked now what happened I was like you did a CH fraud you never chewed up like that's this is what a CH fraud does to to an account to a person in other cases it's just it's mostly this information asymmetry some reporters have reported something that somebody else has just taken care of right or has just like presented to us as well given that we have millions of users and somebody's going to run it like two people are going to run into the same thing at some point send that to us whoever comes in first whoever comes in with a better like well explained system will give them the the award which means that if you're the other person the bug still exists as far as you can tell right we can't fix things immediately you're wondering why you didn't get paid out as well okay so we still have some time for more audience questions does anyone have any questions for anyone on the panel here yes can we get the microphone moving that way hi I'm I'm new to the Monero HP I've known the words for a while I'm just curious you mentioned a sort of hesitancy for ICOs and raising money that way I don't know how the project is funded I'm just curious how is it funded it's funded by watches couldn't resist no so so it's a good question we have a general donation fund and people donate there's some mining mining pools who send a portion of their their profit to the general donation fund and that's one way that we cover monthly costs we have build bots across all the platforms that we support separate build bot instances for the GUI and for the CLI that ends up being quite a big group of machines that that we have to pay for there's arm devices that have to that's an internet that we pay for there's our CDN costs are stupid because people are downloading Monero a lot and CDN costs like four and a half thousand dollars a month and that all pretty much gets paid paid for at the general donation fund and then we have some space we have like corporate sponsors in a sense so as an example the company that Howard works for they're one of the corporate sponsors because they pay for his time and let him work on Monero we have some corporate sponsors that have given us licenses or like dome nine who handles our firm and some of our security infrastructure they give us dome nine for free because we're an open source project so we list them on the sponsors page we generally take a proactive approach with that we will say to someone hey we're using your stuff we're an open source project can you give us a reduced rate and then they'll be like sure we'll give it to you for free and then to thank them we go in and put their logo up jet brains have given us some stuff so you know like across the board we we we get some of that and then we have something called the FFS the forum funding system which is a crowdfunding system so anyone can pitch up and they can say I have this cool idea I want to build a new logo for Monero because Kenneth just got a Monero logo tattooed on his wrist and so now is the time to change the logo and and so they can they can pitch up with any idea I mean I don't think that Monero particularly needs marketing as an example but there are people that do and there's a guy that's doing a whole outreach marketing thing and then there are two full-time researchers who are here who get paid for they work on the Monero project by the the forum funding system you get paid for by the forum funding system so there are full-time developers that use the FFS to pay their salary so that they can work on Monero there are some people who also use the FFS to work on specific things I'd like to build this particular feature and then we control the the purse that the wallet that the money comes into and we pay it out on milestones based on whether the community accepts the milestone as having been met or not so those are the three main ways that the project is funded there's no pre-mine there's no whatever you know portion of the block reward that comes to any central authority in fact there is no central authority we could all get by us tomorrow this entire room could get nuked and like Monero would continue but we'd be sad excellent does that answer your question all right any other questions we have only eight more minutes are left so only a few more questions okay so the question is what's the best what are the best practices to take with securing your wallet do you want Paul Paul do you want to talk about this a bit yeah don't take them on a boat yeah and if you do make sure it's paper make sure you write it down on paper so the generally advised best practice is you want to generate your seed on a machine that's never been connected to the internet and then you generally want to back that up in some way that's relatively secure you can go pretty far with that you can encrypt the mnemonic or your seed you can split it up and then encrypt those pieces and you can do all sorts of things for most people you probably don't have to go too crazy with it it is important to know that if you lose that secret seed or the secret mnemonic exactly yeah you don't have access to those funds anymore it would be extremely difficult or impossible to regain access and then yeah from there there are just varying levels of more convenient but slightly less secure for example my minero generates the seed on your computer and the seed never leaves your computer but it discloses the view key which is necessary for scanning the blockchain to the server of your choice and then that server will do the scanning for you and so that gives you the benefit of being able to jump on another device and you don't have to scan the whole blockchain again you just log in and all your data is there but there is that slight trade-off there does that help so yeah and I mean like like in terms of that I think you also got to figure out your threat model right I mean if your threat model is like I want to fund my unborn daughters college then you know and that's what you want to do or you want to have like a private story value that no one knows about if that's your use case and that's your threat model then yeah cold storage like off it goes into the safe which goes on the boat that's at the bottom of the ocean whatever like you know you figure out your threat model and that's and you do that accordingly for regular spending or for keeping smaller amounts there are mobile apps that are pretty decent obviously my Minero there's cake wallet there's Monorujo there's edge x-wallet and x-wallet and then if you want to use a hardware wallet there are a bunch of really good hardware wallets legend nano s just got support for Minero Trezor says it's coming with the Model T and then there's the Casisto which is the sort of Trezorish clone our own thing that the Minero hardware guys built and of course there's Bitfire which is unhackable please don't use that please do not use that but yeah I think in terms of hardware wallets you're the legend nano s is probably your best bet right now or Casisto if you can get hold of prototype hardware and and yeah we'll wait for the Trezor model T to come out okay any other questions okay so we want a general update on the upcoming v8 software upgrade of Minero what we'll get you to answer that yeah look I mean there's there's small things that are gonna be in there it's nothing mind-blowing I mean there's the kryptonite v8 tweaks the small the small thing called bullet proofs small thing called no well bullet proofs we hope will be live in it it depends on the on every on the third report we're waiting on the third audit on bullet proofs but yeah hopefully bullet I mean bullet proofs has been live on test net since December and it's held up because people use test net all the time I promise and it's it's been reasonably robust and we the audits have been have been pretty good so yeah like hopefully bullet proofs hopefully you know a couple other little sort of little itty-bitty things and performance gains some nice performance gains nice improvements on sync and then fluffy blocks I think will be the the default way of moving blocks around the the network from v8 that has already been it's already happened so that's from v7 yeah hopefully the bullet proofs to make it in there because that's the the it's a significant improvement to Mineros general protocol okay yeah so so that was I mean like we used to do March-September and then with the with v7 falling over to April-October I mean to April then the consensus that seems to be like we're just going to do October April-October now I'm moving forward I just took buttons I don't you know I mean I just read the thing on the screen where people go this is what we're doing and I go oh so I know as much as you do all right so we have time for one more question who wants to close this panel out there so we're like so anonymous a comment just real quick since we were talking about hacker one and what not tomorrow I will be speaking briefly about our VRP our hacker one thing I'll have slides music I hope to be really hung over from the party tonight the epic Monero party we should have I mean never mind it's not a party it's cancelled that's all closing question anyone where's the party excuse me it is not 6 p.m. yet we need a non-party question not for the question anyone and a non-coin base question non-coin base I got one so optimal ring size the answer infinity minus one yeah do you want I do you can speak first and I kind of want to speak on that too that's fine I was gonna say the optimal ring sizes orange yeah I mean strictly from a general you have more outputs as possible spenders the higher is better but you need to make sure that there are legitimate improvements and MRL spent a lot of time looking at what these like what the bottom line of these improvements are I think at the moment it'll follow it'll fall somewhere between 10 and 20 okay Brandon let's brandy should you should okay brand is agreeing with me good okay um so given that it is now 6 p.m. we're going to wrap this panel let's have a round of applause for all the participants please all right and now for the reason you're actually here we have is it power cycles coming up yeah okay so power cycle you can just come up and do your fancy announcement I sure actually all that cinnamon flower do it because she's a speaker you can hop on stage or stand right there your choice my name can hear me okay my name is cinnamon flower I worked on a lot of the art for the village and for the party and I'm one of the organizers for the party so I'm here to to tell you a little bit about that but before I do what I wanted to say is that a lot of us volunteers in the narrow hardware team in particular who I worked with we've been working for weeks and months on this so I want to acknowledge all of their hard work and congratulate them on a successful village this year and I also want to mention the fact that up until a couple days ago a lot of us we have no idea what each other look like or sounded like because all the communication was done over IRC email whatever but then we met and I really feel like there is no substitute for meeting in person talking exchanging ideas and this is what I feel that this evening should be about I really feel like this evening should focus on people meeting people talking engaging talking about what excites you manero other projects maybe but you know so if you came to the party last year you know it was a lot of fun but we had a lot of people walk in saying I don't know anything about manero but I do want to learn like who I talked to I'm like pretty much everybody here so they left the party excited and wanting to pitch in and help with the community so so that was I'd say the most thrilling part of the party last year and what I'd like to see tonight hopefully a little bit more and I'm going to turn the mic over to power cycle he's going to give you a little bit of the history of how the party started which is kind of funny not everybody knows how it started but you go ahead and talk about thank you real quick the party is in the form tower room 61 16 because that's what I know 9 o'clock it starts at 9 we're supposed to go till 2 a.m. so feel free to drop by anytime about the party how came about there is I was just coming to defconn and said hey does anybody want to meet up and so the community just started to pitch in more and more and we had a great party last year and that's essentially what we did again this year so there's a lot of contributors there are no corporate sponsors or anything like that this is all the individuals just wanting to get together and mingle you know outside of the tech thing that that we're all doing during the day so everyone is invited it's an open party and please tell your friend and bring them all and if anyone would like to help me I could use some help moving some ice and stuff like that so come find me afterwards somebody a question under the back you're in yes room 61 16 the forum forum tower and if you look on reddit there's a I just did a post that says the the room numbers well if you look on my Twitter account it says the room number on which separate a pin to tweet on the manera subreddit com slash r slash manera thank you