Cryptocurrencies recommendations are dangerous

[hyc]

The Shadowcash project has been abandoned by its developers, and should be removed from the site. https://steemit.com/cryptocurrency/@tonylondon/particl-a-new-privacy-friendly-market-platform

The Zcash listing is misleading at best, and because of Zcash' trusted setup, the project itself is not cryptographically sound. It should be removed from the site. The key point here "Unlike Bitcoin, Zcash transactions automatically hide the sender, recipient, and value of all transactions on the blockchain." is false, Zcash does not automatically hide anything. Users must explicitly choose to use Zcash' private transactions; the default is not private and the majority of users never change the default. Possibly because they've been misled into believing it's already private by default.

The only cryptocurrency in existence that is private automatically, by default, is Monero. It should be raised from just a "mention" to a more prominent listing. It is the only one that actually protects users' privacy.

[hyc]

Listing Bitcoin is problematic as well. It is well proven to be fully traceable and offers zero privacy protection. http://www.coindesk.com/danish-police-claim-breakthrough-bitcoin-tracking/

[loganmarchione]

@hyc, I had a PR open, but it sat for over a month until I eventually closed it. PR's aren't automatically merged via cron job or anything, so we're at the mercy of the repo owner to recognize and approve them. https://github.com/privacytoolsIO/privacytools.io/pull/156

[ghost]

Why should PRs be merged automatically?

[Josexv1]

Any news on this? i still see that the cryptocurrencies have misleading information.

[ghost]

I would just like to add that in addition to the Shadowcash devs announcing that the project is finished, it is also nigh impossible to get SDC, as most, if not all currency exchanges have delisted it. It no longer has any practical use.

[3k2]

@YuFanLovezYou

Shadowcash is also dead project so it should be removed imo..

The ShadowCash team have stopped working on the Shadow Project. They are now working on a new and improved project called Particl. Read the official announcement and follow Particl blog for more info.

says their own website..

[hugoncosta]

I believe you should put Monero up first. It's the only currency that forces users to use encryption on every transaction, unlike ZCash, that allows some users do to so. But if only 10% uses it, it's easier to track who uses it and who doesn't, being defeating it's purpose. Also, Dash isn't the best example - it's a very centralized service (they use masternodes that are determined by how much dash you own).

[ghost]

Create a PR fixing the cryptocurrency section and I'll merge.

[kewde]

Replacing the ShadowCash project is good decision.

Bitcoin should stay, maybe with a warning about the potential privacy problems. There are only a few ways to get Monero or ZCash without buying Bitcoin first, it makes sense to have it included.

I don't agree, however, with the arguments raised against Zcash here. I'll reference back to the reddit thread; https://www.reddit.com/r/privacytoolsIO/comments/5md4xi/why_having_shadowcash_dash_and_zcash_in_the/dc2q0ao/

[hyc]

Zcash privacy is entirely conditional, based on the whims of the Zcash Electric Coin corporation. https://www.reddit.com/r/Monero/comments/6k57zy/can_we_get_a_fair_comparison_of_zcashs_private/djjtary/

[kewde]

Private - should be an X. As a general principle, without privacy by default, there is no privacy. For zcash in specific, coins have to be sent from a transparent address to a hidden address before a hidden transaction can be created. That means standard timing analysis will let you track them, and uncover their amounts.

That doesn't seem right to be honest. You could argue that Monero suffers, in manners far worse to the same 'standard timing analysis' you can think off. The standard anonymity set is several orders of magnitude lower for Monero than for ZCash. I bet, even if you apply the best known combinatorial analysis attacks for each coin respectively, that you'd still end up with a bigger anonymity subset in ZCash (and thus more privacy).

"without privacy by default, there is no privacy.", I haven't seen any proof as to why that should be considered a 'general principle'.

One of the many argument I hear is that 'you can do x transactions to yourself and gain a anonymity set of r^x, where r = amount of mixins'. That's not privacy by default? It doesn't even work that well when operating over short time intervals due to skewing the probability, making it more vulnerable to the timing analysis attacks that have plagued Monero. 1 The same tactics can be applied to Zcash too.

"based on the whims of the Zcash Electric Coin corporation. " Forks remain forks. If people strongly disagree, then they can fork their way out of it.

[ghost]

Doesn't privacy by default make timing analysis harder by increasing the amount of potential subjects?

[kewde]

Doesn't privacy by default make timing analysis harder by increasing the amount of potential subjects?

Well that depends. I'll try to explain it simplistically, without going into any individual analysis attacks. Privacy by default is generally considered to be more healthy as it grows the overall anonymity set, however, claiming that you have no privacy without having it on by default is bullocks.

RingCT (used and invented by Monero) allows you to obfuscate the sender of the transaction, it picks r amount of other "mixins" (aka potential subjects). With every transaction you have a probability of randomly picking the right spender 1 / (r + 1) times. The anonymity subset per transaction remains constant over time. The overall anonymity set (= the pool of potential subjects to pick from) grows linearly per transaction (assuming two outputs each tx).

With ZCash, the anonymity subset per transaction is equal to the overall anonymity set, which also grows linearly per shielded transaction. The probability of randomly picking the right spender becomes near zero because it is equal to 1 / (r + 1) where r = overall anonymity set. r is not a constant, it grows and if you (incorrectly but theoretically interesting) assume that r -> infinity then the probability goes down to zero ( lim ( 1 / (r + 1) with r -> infinity))

To get back to statistical attacks, there are a few classic ones 'time correlation attack' where you assume that the youngest mixin is the right spender that simply don't apply to zcash. The issue with zcash and the ability of transparent amounts is that you can do some 'amount correlation attacks', where you can narrow down the anonymity subset per transaction because the non-hidden output amount is so high that you can scratch any mixin that is lower than that. But I'll bet that in most cases, the smaller subset after applying the attacks is still bigger than the anonymity subset per transaction by Monero. Any sane person will tell you RingCT is a lot more vulnerable to sidechannel attacks (time analysis, combinatorial attacks) than Zcash.

The only arguments which are valid against ZCash, is the fact that zk-SNARKs are generally a new thing and being skeptical about it is okay. But RingCT is generally considered to be new too, I still stand by my decision to not have Monero included at first, there was a bug discovered recently that would've allow the printing of an infinity amount of XMR. It brings a bit more piece of mind to know that developers from Blocksteam (gmaxwell and sipa iirc) have looked at RingCT, also (re)discovering the infinity money bug.

The last argument we had about this case was on reddit, and it too was flooded by Monero supporters (they have a dedicated group of supporters/shills). The funny fact is that the arguments against the trusted setup were mostly because it would allow the creation of infinity money, a thing which can happen with bugs too. I didn't care for how the coins are as a store of value, if you ask me, they're all shit, even bitcoin, they're speculative assets but generally the only ways to transact online with privacy.

A compromise of the trusted setup would not allow the attackers to remove anonymity.

[hyc]

Your discussion of anonymity set is like "how many angels can dance on the head of a pin." Since Monero uses stealth addresses, the anonymity set is essentially infinite - even if you can correctly guess which input is the real one in a transaction, that doesn't tell you anything about who the sender is. I.e., anonymity is always 100% because there's nothing that links a one-time-use stealth address to any user's wallet address. And, your statistical attacks only give you a probability - you never have any certainty that a particular input is the real one. It really is just a guess; you have no way to verify it.

Your assertion

A compromise of the trusted setup would not allow the attackers to remove anonymity.

doesn't seem to stand up to close scrutiny, when the CEO of Zcash himself says they can trace their tokens.

[kewde]

The anonymity set isn't infinite from all perspectives. The person who sent you the money knows that the ephemeral address (well public key in the case of Monero) and can link the output to the stealth address because they sent it. Anonymity has to work even in hostile environments, I wouldn't call it trustless otherwise. By your analogy, using stealth addresses is the only thing needed to provide anonymity?

You also conveniently left out a few parts where he says that it would have to be done through KYC/AML compliance and where it would still be private and fungible.

"And by the way, I think we can successfully make Zcash too traceable for criminals like WannaCry, but still completely private & fungible. …"

"It's simply that good KYC/AML compliance at FIs probably deters criminals without violating privacy. Zcash makes that easier not harder."

https://mobile.twitter.com/zooko/status/863202798883577856

[ghost]

And by the way, I think we can successfully make Zcash too traceable for criminals like WannaCry, but still completely private & fungible. …

Doesn't sound like success to me.

[kewde]

What he says is that exchanges and their KYC/AML policy should be enough to prevent criminals like WannaCry as long as they want to cash out to fiat. If they don't want fiat, then it will still be untraceable. The same applies 100% to Monero, Bitcoin etc.

https://mobile.twitter.com/zooko/status/863202798883577856

[hugoncosta]

@kewde someone smart enough to create (insert malware) in order to steal crypto is smart enough to use anonymous crypto-to-cash services. But assuming they have a lot to cash out and only an exchange is able to do so - fine, but fraud is still easy to do. I mean, they just need to create a Skrill/Neteller account, request an ATM card and they can cashout up to 1000 euros a day. They'd even receive a 10-20% markup when selling their crypto for skrill/neteller. Anyone with 2 fingers worth of know-how is able to succesfully and anonymously cashout in these days, be that with bitcoin or Monero or ZCash.

So, that aside, yes, the sender knows how much they send. But no one else other than the sender and the receiver knows how much. The sender knows that the receiver has AT LEAST the amount send, nothing more. In a WannaCry scenario, only if you get everyone that sent the money to say "I did it", you will never know how much was sent and where is it in a currency like Monero (I haven't looked into ZCash's process).

Concluding, KYC/AML isn't enough to deter anyone from anonymously cashing out, assuming they're not dumb. I'm a strong supporter of Monero and their tech, and their argument against ZCash is clear - if only some are using the anonymity process, then no one is truly anonymous.

[kewde]

@hugoncosta I wasn't saying that zookoo was right about this whole KYC/AML argument, I was merely stating that there was no intention (atleast in that specific statement) to change Zcash wallet software to make it more traceable.

I don't see the relevance of the second paragraph, but the same applies to Zcash.

'if only some are using the anonymity process, then no one is truly anonymous.' - I agree with your stance from a macroscopic (dare I say altruistic) perspective, I think it's beneficial to getting people to use anonymous currencies because then in general there are more potential subjects. However, it isn't correct: anonymity always works within a set. In the digital world you are always anonymous among X people. 'Truly anonymous' doesn't exist. From the macroscopic perspective, there are probably more people using Monero than there are using the Zcash's anonymity features but that doesn't directly imply that a transaction through Monero is more anonymous than on Zcash. If you were to take everyone using Monero and make them use Zcash then, in an ideal world, they would be better off privacy-wise, mainly because the obfuscation on a transactional level is superior. The theoretical anonymity of a single transaction is magnitudes lower for RingCT than for Zcash.

[urza]

The main problem with recommending ZCash to someone who needs to make private and anonymous financial transactions is this:

The company that is developing ZCash just doesn't seem to realise what privacy means in real world. They are more like group of academics testing their new cryptographic idea as startup. And when first ransomware emerges, they are rady to back up and suggesting to find ways how to make ZCash more traceable, comply with KYC/AML etc. Compare this with Monero, where the privacy is clearly stated as no1 focus of the cryptocurrency, an ongoing effort that is still being worked on and improved. Not just on blockchain level, but on all levels that making financial transaction in real world. For example Kovri is ongoing development of I2P integration into the whole network by default. There is also whole ecosystem of tools (like xmr.to) that make it usable for anonymous payments, there are guides (like monero.how) that help people understand how to use it correctly and anonymously. The focus of the Monero project is very much aligned with "privacytools recommendation". Zcash? Who knows.

[kewde]

They can not retroactively deanonymize transactions. If they do implement something that is the opposite of privacy than it should obviously be removed from privacytools.io. Don't forget that such an alteration of the currency would require a fork, requiring the miners and users to migrate to the client. I don't immediately see them jumping ship, when their main purpose is to provide private transactions. A tweet of one man does not define the faith of a cryptocurrency.

Both Bitcoin and Zcash already provides more or less the functionality that Kovri would offer, but over the Tor network through stream isolation They inherited that from the Bitcoin codebase, but once you point your bitcoind or zcashd to 127.0.0.1:9050 it will create a new circuit for each node.

[wangkesen]

“Claiming that you have no privacy without having it” Yeah I was pretty much convinced otherwise after h us much.

[hyc]

Forks remain forks.

We're talking about Zcash as it exists, not about possible forks. Zcash as it exists is run by a corporation that's vulnerable to coercion from TLAs, and whose CEO has already publicly stated that he's amenable to weakening his coin's security. And has systematically laid out plans to break his coin's anonymity at scheduled intervals of time. And has already demonstrated its own ability to trace its transactions. Why you still defend it so vigorously makes no sense.

[hyc]

They can not retroactively deanonymize transactions.

Are you so sure? Reread those 3 links I posted in this comment https://www.reddit.com/r/Monero/comments/6k57zy/can_we_get_a_fair_comparison_of_zcashs_private/djjzsp7/ They can retroactively reveal the balances of all shielded addresses. What makes you think they can't then trace all the transactions that made up those balances?

[kewde]

We're talking about Zcash as it exists, not about possible forks.

If you want to talk about Zcash as it exists, then please do so because I'm not aware of any malicious insertions in their codebase that suggest that they are actively making it more traceable. I mostly keep tabs on what their developers are actually doing, not at what the sales guy says. Zooko might be a fool, but you need more than a fool to destroy a cyptocurrency. I think he just does the dance with legality, just like they avoid the usage of the word "anonymous" on their website and communications.

And has systematically laid out plans to break his coin's anonymity at scheduled intervals of time

He has mentioned one way of possible doing a coin supply audit, which involves revealing the amounts. That doesn't automagically deanonymize a transaction.

And has already demonstrated its own ability to trace its transactions. Why you still defend it so vigorously makes no sense.

The anonymity set per transaction is every output in existence on the chain. Even you must admit, that such a large anonymity set is the holy grail of anonymous cryptocurrencies. RingCT is interesting to me but mostly for the wrong reasons. More specifically the many attacks and different situations make it a fun game of creating new analysis stategies. The limitations of ring signatures are starting to show, the debate about mixin input selection for example. People actually spend their coins rather fast, which creates a input distribution that is heavily skewed. If you want to actually match that distribution you'll need to pick more recent outputs as mixins, making it more vulnerable to active deanonymization attacks. This is because of the rather low anonymity subset per transaction in comparison to Zcash.

They can retroactively reveal the balances of all shielded addresses.

I'm very sure they can't retroactively reveal the balances of shielded addresses without consent of the user; Revealing the balance of a shielded address doesn't magically deanonymize it.

[hyc]

If you want to talk about Zcash as it exists, then please do so because I'm not aware of any malicious insertions in their codebase that suggest that they are actively making it more traceable.

What makes you think such code is in any codebase you have access to? Zcash is clearly not decentralized, and code to monitor the network has already been deployed at least once before: https://z.cash/blog/security-announcement-2017-04-13.html

The anonymity set per transaction is every output in existence on the chain. This is obviously false. Try again. Transparent transactions don't do anything for the anonymity of shielded transactions, and shielded transactions are still less than 10% of the network.

"In theory, theory and practice are the same. In practice, they're different." In theory, ZK-SNARKS provide perfect privacy. In practice, no exchanges support them, and very few users use them because the computational costs of creating shielded txns are too high. They've been working on this since at least 2013 and the issue remains just as bad. (And Moore's Law is dead, so they can't just say "well CPUs will get faster in the future and this won't be a problem.")

Revealing the balance of a shielded address breaks one of the guarantees "hide the sender, recipient, and value of transactions in z-addresses." The centralized authority of Zcash corp. is monitoring the network and can probably break the other two. You have no way to prove otherwise.

The fact that the Zcash network can't be audited without breaking these original guarantees should also trouble anyone considering using it. It renders the coin completely worthless as a store of value if you have no guarantees against uncontrolled inflation, and if the only way to check for counterfeiting inflation is by periodic unshielding audits, it is completely worthless as a privacy store.

I'd ask you to provide links/references for any further assertions you make, because you're obviously getting the facts wrong here.

[kewde]

Revealing the balance of a shielded address breaks one of the guarantees "hide the sender, recipient, and value of transactions in z-addresses." The centralized authority of Zcash corp. is monitoring the network and can probably break the other two. You have no way to prove otherwise.

Actually it wouldn't. Just like with stealth addresses, you wouldn't be able to tag the balance to the z-address. The next part of this paragraph contains some wild and unsubstantiated claim based for which I'd like to see some references. In the field of security, you prove to me that you can break something, not the other way around.

https://github.com/zcash/zcash/issues/2371

(In fact, it might also be possible to use a simpler zk proving system, that would not need a trusted setup, to keep the amounts transferred between epochs private while still allowing them to be audited. I'll file a separate ticket about that once I've thought about the details.)

Seems like they might be able to keep the amount private after all.

The fact that the Zcash network can't be audited without breaking these original guarantees should also trouble anyone considering using it. It renders the coin completely worthless as a store of value if you have no guarantees against uncontrolled inflation, and if the only way to check for counterfeiting inflation is by periodic unshielding audits, it is completely worthless as a privacy store.

I can equally change Zcash to Monero in that statement. I don't think I have to remind you about the 2 infinite money bugs in Monero, one of which was luckily detectable. The other bug, discovered in testnet was undetectable. As far as I know, there are currently no measures to provide auditability on the Monero blockchain.

[hyc]

I can equally change Zcash to Monero in that statement.

Wrong again. The Monero coinbase transactions are always transparent, so the entire money supply can always be audited by anyone, any time.

[hyc]

In the field of security, you prove to me that you can break something, not the other way around.

In regards to Zcash - prove to me that the trusted setup parameters were actually destroyed. Prove to me that Zooko was only talking about KYC/AML exchanges when he talked about making Zcash "too traceable." You're far too willing to take Zcash's word for something that an objective observer would remain skeptical about.

[kewde]

Wrong again. The Monero coinbase transactions are always transparent, so the entire money supply can always be audited by anyone, any time.

coinbase transactions are, but other transactions can also inflate the supply, given that there is a bug in CT that allows them to. Which was the case, twice.

In regards to Zcash - prove to me that the trusted setup parameters were actually destroyed. Prove to me that Zooko was only talking about KYC/AML exchanges when he talked about making Zcash "too traceable." You're far too willing to take Zcash's word for something that an objective observer would remain skeptical about.

The only reason I take it so far, is to nuance your opinion of it. You paint them as the devils is disguise. Read it completely, don't just cherrypick the pieces you like.

The exact tweet you're quoting, read the follow up. https://mobile.twitter.com/zooko/status/863202798883577856

Fomo Sapiens @fomosapiens Replying to @zooko so if some day NSA knocks on your door you are going to make everyone's transactions untraceable too? i'll have to rethink zcash now.

zooko @zooko I think you meant "traceable", and it would be impossible for me to do that, because I can't violate the laws of math.

zooko @zooko I don't mean weakening security ((link: https://z.cash/support/faq.html#backdoor) z.cash/support/faq.ht…). I mean that a secure protocol layer is compatible with good law enforcement.

[ghost]

I don't mean weakening security ((link: https://z.cash/support/faq.html#backdoor) z.cash/support/faq.ht…). I mean that a secure protocol layer is compatible with good law enforcement.

What? So the protocol is going to decide whether the adversary is "good" law enforcement?

Otherwise, not weakening security whilst being compatible with "good" law enforcement implies that the security doesn't have to be weakened in order to be compatible with "good" law enforcement, therefore it's insecure at the moment?

I don't see how anything can be secure yet compatible with law enforcement.

I wouldn't trust anything developed with being compatible with law enforcement in mind.

[kewde]

What? So the protocol is going to decide whether the adversary is "good" law enforcement?

I mean that a secure protocol layer is compatible with good law enforcement.

What he means is that a secure protocol layer shouldn't be explicitly weakened to accommodate for law enforcement. Good law enforcement doesn't require insecure protocols.

We're not going to break HTTPS on purpose just to let the snoops in. HTTPS is perfectly compatible with (legal) law enforcement as far as I know, are you suggesting its insecure? :smile:

[ghost]

HTTPS is based on CA's which are subject to warrants -- law enforcement.

The point of "decentralizement" is to avoid exactly this.

One of the main uses of cryptocurrencies is free market, an enemy of governments. Cryptocurrencies should not be subject to law enforcement per se.

You're implying law enforcement is (always) good. By this logic, we should focus on developing technologies which would help law enforcement catch criminals like Snowden.

[kewde]

We're getting a bit of track here, but I never implied that in any form or shape.

I don't see any evidence, or even the intent to weaken the current Zcash protocol and/or reference client to favor law enforcement. What I did see, was someone tweeting that good law enforcement doesn't require people to purposefully weaken the security.

[ghost]

"someone tweeting that good law enforcement doesn't require people to purposefully weaken the security" != being compatible with good law enforcement

"Doesn't require people to purposefully weaken the security" meant how?

That the protocol can be broken by law enforcement already, or that "good" law enforcement is so good they don't require anyone to comply?

I doubt the latter. You compared it to HTTPS.

Further in the replies:

⛓️ Edwin den Boer @edbwt May 14 Is Zcash compatible with Jeff Sessions' idea of good law enforcement? How about Duterte, the Saudis, or Putin?

Virgil Vaduva @VirgilVaduva May 14 Replying to @zooko Most laws are immoral. Why would you get involved in that process?

[urza]

The main point in context of privacy tools should be which currency can better protect the anonymity and privacy for people who need that, because their security or life may depend on it. There are plenty of regimes where doing financial transaction may cost you years in prison or indeed threaten your life and there is no guarantee that the users of these recommended cryptocurrencies will be tech savy. So 'better' in this context is more about ease of use, ecosystem and the whole setup of the project. I really can't recommend using Zcash over Monero with what I know to someone in this possible situation. Just because Zcash has anonymity otional, is easier to track on exchange points (almost no service accepts shielded txs) and there are doubts about what their CEO ment by "make it too traceable for crimminals to use". Who decides who/what is criminal? Iranian Government? US Goverment? Zooko himself?

Compare with monero where anonymity is default, community has record of helping who ever needs the help, developers are clearly aware that what they do might affect lives of people and also monero has larger network effect which might be very important for IRL operations.

Zcash is nice academical excercise of testing new cryptography and the project is developped by some very intelligent academics. But real world privacy requires more than that.

[kewde]

That the protocol can be broken by law enforcement already, or that "good" law enforcement is so good they don't require anyone to comply?

Good and effective law enforcement in my opinion, is doing detective work on individual cases. A fishnet approach isn't effective and fills the process with a lot of clutter. LE doesn't need to know the exact path the money came from, it can be anonymous. The person they targeted has to explain and prove where the money came from just like with cash money.

You have a mangled definition of "security" to be honest: if LE gets your private keys/CAs then indeed, it's game over. But then you can just shut down privacytools.io because not a single tool would be up to your standards. Should we remove Tor or Signal? Is Monero insecure because LE has the transaction history if they get ahold of the wallet file? I, and I assume most people, consider something to be secure when there are no cryptographic backdoors (or bugs).

Just because Zcash has anonymity optional, is easier to track on exchange points (almost no service accepts shielded txs)

This is quite vague, it makes it easier to track for whom? How would this attack be applied? I haven't seen any evidence or write ups describing this attack. I can see where it is heading, and I've heard the main pseudo-argument is something along the lines of 'oh but the amounts are public, that makes analysis easy'. I haven't seen any evidence of that.

Also let's just assume there are vulnerabilities in the protocol, we apply the attack to the enormous anonymity subset per transaction. Let's assume that our imaginary statistical attack allows us to narrow of the potential inputs to 10% of the initial set (a 90% reduction, that is quite effective, I'm being generous here), well that 10% still has a lot more mixins than a Monero transaction.

A statistical attack applied on Monero, causing a 90% reduction will cause a lot more trouble than on Zcash. The enormous anonymity set makes is naturally resistant against statistical attacks.

[ghost]

The person they targeted has to explain and prove where the money came from just like with cash money.

That's immoral and false.

Your logic seems mangled. CAs possess the private key, not you. A CA is subject to warrants, you are not. By your logic, we shouldn't recommend any tools at all since they're rendered useless by bad opsec.

[kewde]

That's immoral and false.

That's how the law works for cash in my jurisdiction. I'm not saying it's moral, I'm pointing it out as an example that anonymous cryptocurrencies are compatible with LE in the same way that cash is. The only opinion I expressed in my previous comment is that LE should work on a case by case scenario, not a fishnet approach. It's not because you're a Zcash or Monero user that you suddenly should be looked into by LE.

I suggest you take a look at the TLS specification, RFC5246.

CA's don't possess the (most important) private key, the one used for encryption. They can however issue new private keys for an instance, which is indeed a security issue. You can equally be subject to those warrants, Lavabit is an example of that. You can "pinpoint" a certificate for a website by the way, causing your browser to display an error when it changes.

I don't know what made you interpret my words and come to that conclusion. By my logic, we should recommend tools that are considered secure, both cryptographically and in reality.

[ghost]

Sorry, I meant providers using TLS, not CAs.

immoral and false

CCs are a way to evade immoral economic government oppression. In many jurisdictions, there are things like the Fifth Amendment of the US Constitution. And with good opsec combined with good CCs, you don't need the Fifth anyway.

I'm not saying it's moral, I'm pointing it out as an example that anonymous cryptocurrencies are compatible with LE in the same way that cash is.

contradicts

The only opinion I expressed in my previous comment is that LE should work on a case by case scenario

Also

By my logic, we should recommend tools that are considered cryptographically secure.

Cryptographically secure implies incompatibility with law enforcement.

[kewde]

If it's not moral, shouldn't CCs be better than cash?

I'm not saying it's moral or immoral. There's nothing more anonymous than tangible goods, there is no direct history to those. Everything comes with a history on the blockchain.

Cryptographically secure means incompatible with "good" law enforcement.

No it doesn't. There are many opinions on what "good" law enforcement is or is supposed to be. Something being (reasonably) cryptographically secure is a fact. It being incompatible with 'good' LE depends on your opinion of what 'good' LE is.

I stand behind the statement that 'good' LE doesn't require their author to deliberately make a protocol insecure. Any LE that does, is 'bad' LE.

[ghost]

I said it implies incompatibility. I changed a few things in my comment before you posted, so you may want to update your post as well.

Anyway, I stand behind the statement that law enforcement is often unethical per se, but that's off-topic. Your statement that good LE doesn't require someone to make a protocol insecure seems irrelevant, given zooko was talking about making Zcash compatible with LE.

[kewde]

making Zcash compatible with LE

That would imply a backdoor, which they've already commited to not doing (check their FAQ on their website). Making such a change would be detectable and require a fork, and if they do implement it then Zcash will be removed.

Cryptographically secure implies incompatibility with law enforcement.

It doesn't imply it either. Ask anyone if they consider Signal to be cryptographically secure and compatible with LE, the answer will be 'yes' on both.

There are good reasons as to why everyone should think that secure protocols are compatible with LE. Because if you don't, then the general opinion will allow backdoors.

[ghost]

And by the way, I think we can successfully make Zcash too traceable for criminals like WannaCry

[kewde]

And by the way, I think we can successfully make Zcash too traceable for criminals like WannaCry

"I can" != "I will"

[ghost]

Still a bad way of thinking for an anonymous cryptocurrency dev.

[kewde]

Still a bad way of thinking for an anonymous cryptocurrency dev.

Is it? I think it's genius, spreading the idea that LE and anonymous currencies aren't enemies. Anonymous currencies have a long way to go before being accepted by the general public, and I'm all for spinning the public narrative into the direction that anonymous currencies are just like "good old cash". If we would now (as a theoretical exercise) imprint the idea into the public opinion that the two are inherently incompatible then we are screwing ourselves over, because all the pussies will pick 'LE' over 'secure protocols' without a shred of doubt.

[ghost]

because all the pussies will pick 'LE' over 'secure protocols' without a shred of doubt.

Will they? Take the Apple vs FBI case as an example. A lot of people were on Apple's side.

[kewde]

Will they? Take the Apple vs FBI case as an example. A lot of people were on Apple's side.

Many people were, but even 1% of Apple's users is considered a lot. The other 99% couldn't even care. Anyways, ask yourself: how many percentage of people that you know in your daily life, care deeply about privacy and security?

[hugoncosta]

@kewde I believe this is going way off topic. "What's the percentage of people you know that care about privacy?" - what's this website all about? In my mind, we're supposed to give alternatives to "normal" services, that's it. Everything has its flaws, we have to be careful even with the most "secure" systems.

But to answer the question, 0. No rounding down, literally, 0. And I know a ton of geeks, software engineers, and they're connected to Google, location on, no password managers, nothing.

Apple vs FBI just confirmed what we already knew - sheep will repeat what people tell them. Those that were on FBI's side couldn't understand what it could do to Apple's products and their privacy/safety. In the long run, I hope the new generation that's in the oven right now will understand what really matters. Although with recent updates on Snapchat, it just shows me that this generation is getting deeper and deeper into the Big Data's arms.