Somewhat curious, though not like using xmr speculatively.

• 2023-11-02T15:57 CCS Wallet Incident · Issue #916 · monero-project/meta · GitHub
• 2023-11-04T00:39 [Moonstone Research] Postmortem of Monero CCS Hack: A Transaction Graph Analysis (Dated Nov 03)
• 2023-11-05T07:20 [One of the earliest media reports] Monerujo Wallet User Drains Monero’s CCS Wallet: Report - Coin Edition

Some of the media reports are negatively confusing, like saying the Monero network is defective. Date-Time in UTC.

Edit: Moonstone Research -> 2023-11-04T00:39 was based on the server response headers (last-modified). Apparently the blog post was created about 1 hour earlier (the link was posted on Github at 2023-11-03 23:50).

These changes radically expand the capability of EU governments to surveil their citizens by ensuring cryptographic keys under government control can be used to intercept encrypted web traffic

This enables the government of any EU member state to issue website certificates for interception and surveillance

https://www.internetsociety.org/resources/doc/2023/qualified-web-authentication-certificates-qwacs-in-eidas/

The browser ecosystem is global, not EU-bounded. Once a mechanism like QWACs is implemented in browsers, it is open to abuse

https://en.wikipedia.org/wiki/EIDAS

The proposal would force internet companies to place a backdoor in web browsers to let them perform a man-in-the-middle attack, deceiving users into thinking that they were communicating with a server they requested, when, in fact, they would be communicating directly with the EU government. […] If passed, the EU would be able to hack into any internet-enabled device, reading any sensitive or encrypted contents without the user's knowledge

See also: https://mullvad.net/en/blog/2023/11/2/eu-digital-identity-framework-eidas-another-kind-of-chat-control/

Nothing really new for us. Just one of the earliest media reports for the record.

Edit (2023-11-06): Apparently, one of the earliest reports about the incident by general (“outside”) media is, Monerujo Wallet User Drains Monero’s CCS Wallet: Report [blocking Tor: archive.org], at 2023-11-05T07:20+00:00.

It’s interesting to see how general people are looking at this, and relatedly how they are thinking about Monero, although generally what’s written there is nothing new nor helpful for us (often disturbingly inaccurate even). For this reason I posted a few random links to related articles. You can add more and comment on it, if there are anything interesting or especially stupid 😖

While privacy coins promise enhanced anonymity and financial freedom, they also pose challenges […] they often face heightened regulatory scrutiny, with some governments banning or heavily regulating their use.

the very feature that makes them attractive – their privacy – can also be their Achilles’ heel. […] This dual-edged sword might deter potential new adopters and pose reputational risks for those involved in legitimate uses of privacy coins.

Cryptocurrency privacy is vital for ensuring personal liberty and maintaining fungibility, becoming even more crucial as surveillance and data collection grow. […] a balance of innovative privacy technologies and thoughtful regulation is essential

We all know this; not easy.

1️⃣ Completely normal photos, such as holiday pictures 🏞️ are considered suspicious.

2️⃣ So our private family photos or the chats and pictures from your sexting yesterday 🍑🍆 also end up on an official table. So we can throw privacy in the bin 🚮

Chances are high that most of your European friends have never heard of chat control. So let them know about the danger and what you think about the chat control proposal.

“The European Commission launched an attack on our civil rights with chat control. I contacted my local MEP to tell him that I oppose the proposal. You can do so too! This Website I found will help you write an e-mail to an MEP using A.I.”

exchanges may randomly use this to freeze and block funds from users, claiming these were "flagged" […]. You are left hostage to their arbitrary decision […]. If you choose to sidestep their invasive process, they might just hold onto your funds indefinitely.

The criminals are using stolen identities from companies that gathered them thanks to these very same regulations that were supposed to combat them.

KYC does not protect individuals; rather, it's a threat to our privacy, freedom, security and integrity.

• For individuals in areas with poor record-keeping, […] homeless or transient, obtaining these documents can be challenging, if not impossible.

PS: Spanish speakers: KYC? NO PARA MÍ

Cloudflare-free link for Tor/Tails users: https://web.archive.org/web/20230926042518/https://balkaninsight.com/2023/09/25/who-benefits-inside-the-eus-fight-over-scanning-for-child-sex-content/

It would introduce a complex legal architecture reliant on AI tools for detecting images, videos and speech – so-called ‘client-side scanning’ – containing sexual abuse against minors and attempts to groom children.

If the regulation undermines encryption, it risks introducing new vulnerabilities, critics argue. “Who will benefit from the legislation?” Gerkens asked. “Not the children.”

Groups like Thorn use everything they can to put this legislation forward, not just because they feel that this is the way forward to combat child sexual abuse, but also because they have a commercial interest in doing so.

they are self-interested in promoting child exploitation as a problem that happens “online,” and then proposing quick (and profitable) technical solutions as a remedy to what is in reality a deep social and cultural problem. (…) I don’t think governments understand just how expensive and fallible these systems are

the regulation has […] been met with alarm from privacy advocates and tech specialists who say it will unleash a massive new surveillance system and threaten the use of end-to-end encryption, currently the ultimate way to secure digital communications

A Dutch government official, speaking on condition of anonymity, said: “The Netherlands has serious concerns with regard to the current proposals to detect unknown CSAM and address grooming, as current technologies lead to a high number of false positives.” “The resulting infringement of fundamental rights is not proportionate.”

As enacted, the OSB allows the government to force companies to build technology that can scan regardless of encryption–in other words, build a backdoor.

Paradoxically, U.K. lawmakers have created these new risks in the name of online safety.

The U.K. government has made some recent statements indicating that it actually realizes that getting around end-to-end encryption isn’t compatible with protecting user privacy. But

The problem is, in the U.K. as in the U.S., people do not agree about what type of content is harmful for kids. Putting that decision in the hands of government regulators will lead to politicized censorship decisions.

The OSB will also lead to harmful age-verification systems. This violates fundamental principles about anonymous and simple access

See also: Britain Admits Defeat in Controversial Fight to Break Encryption

Windows user who'd like to try Tor + wallet etc.: if this is your first time, it may take like 10-20 minutes, but everything is easy.

Although there may be a easier shortcut (see below), the regular way is like this:

1. Go to https://www.torproject.org/download/tor/ and get a "Tor Expert Bundle" (get one that says 64 if your CPU is 64-bit). To open this ".tar.gz" file, you may need a tool like 7-zip. (*1)
2. Open (decompress) it to get a .tar; open (untar) this .tar, and you'll see two folders ("data" and "tor") there. Copy these 2 folders (with everything inside them) to a new folder, created wherever you like.
3. Open the "tor" folder, and double click on tor.exe. If asked, allow it to run and allow it to make remote connections. A text-based window (console) appears with status messages (read them to see if it's working). That's it. You're now running your own copy of Tor.

Once this is ready, you can optionally Tor-ify any tool that supports proxy (Socks5) server. Go to the "Network" or "Proxy" settings of the tool (e.g. Monero Official GUI), and input the proxy server address "127.0.0.1" (without quotes), port number "9050", and if necessary, select the type of your proxy, "Socks5". Your login name and password (if asked) can be empty or anything random (*2).

(*1) Technically, you're supposed to verify a PGP sig here. For now, let's say if you download a file from (archive.)torproject.org, it should be safe.

(*2) Similarly, you can Tor-ify other tools, e.g. a chat tool, a BitTorrent client. A regular browser can be also Tor-ified but that's a bit tricky and usually unnecessary: for web browsing, using Tor Browser is a good idea.

Official GUI vs. Feather (about Tor)

• Official GUI: Tor is not used by default. You'll have to do manual settings and run your own copy of Tor, like above.
• Feather: Tor is used automatically. That's easy. However, according to the docs, Tor is NOT ALWAYS used by default, unless you select "Always over Tor" or you're on Tails, etc. Another potential problem of Feather is, if you automatically use Tor coming with Feather, you might be stuck with an old version of Tor. This is because Tor tends to be updated more often than Feather. A solution is…

The same page states:

Feather releases are bundled with a Tor binary. If the presence of a local Tor daemon on the default port (9050) is not detected, Feather will place the bundled Tor binary in the config folder and run it on port 19450.

This should mean, if Tor is already listening to 9050, then Feather will just use it. So, if you'd like to: Feather + Latest version of Tor = also easy (just like Official GUI + Tor).

Elsewhere I saw some kind of confusion like "Feather does everything via Tor, yet it's fast" "Since Feather does everything via Tor, don't use it on Tails, which is already on Tor" etc. etc. and felt that this should be clarified and the fact should be shared. This confusion about Tails is kind of understandable, though.

A possible shortcut: If you already have Tor Browser, and if you start it, Tor Browser's Tor is listening to 9150 (I think). Thus you should be able to do wallet etc. + Tor 9150 (instead of 9050), if you don't mind always opening Tor Browser. This might feel easier…

In a well-intentioned yet dangerous move to fight online fraud, France is on the verge of forcing browsers to create a dystopian technical capability. Article 6 (para II and III) of the SREN [sécuriser et réguler l'espace numérique] Bill would force browser providers to create the means to mandatorily block websites present on a government provided list.

--France’s browser-based website blocking proposal will set a disastrous precedent for the open internet

[Unfortunately one should no longer trust Mozilla itself as much as one did 10 years ago. If you do sign, you might want to use a fake name and a disposable email address.]

This bill is obviously disturbing. It could be that eventually they assume that .onion sites are all suspicious and block them, or something similar might happen, which would be bad news for privacy-oriented users including Monero users, for freedom of thought, and for freedom of speech itself. Note that the EU is going to ban anonymous domains too (in NIS2, Article 28).

For a regular end user, if something like this happens and if the block is domain-name-based, then one quick workaround would be using web.archive.org (or Wayback Classic), or ANONYM ÖFFNEN of metager.de (both work without JS). If this is France-specific, of course a French user could just get a clean browser from a free country too (perhaps LibreWolf or Tor Browser, or even Tails), provided that using a non-government-approved browser is not outlawed.

Mozilla, financially supported by Google, states that Google Safe Browsing is a better solution than SREN, but that too has essentially similar problems and privacy implications; especially Gmail's Enhanced Safe Browsing is yet another real-time tracking (although, those who are using Gmail have no privacy to begin with, anyway).

If it's DNS-level blocking, you can just use a better DNS rather than one provided by your local ISP, or perhaps just use Tor Browser. Even if it's browser-side, as long as it's open-source, technically you're free to modify source code and re-compile it yourself, but that may not be easy even for a programmer, since a browser is complicated, with a lot of dependencies; security- and cryptography-related minor details tend to be extremely subtle (just because it compiles doesn't mean it's safe to use), especially given that Firefox/Thunderbird themselves really love to phone home behind the user's back.

See also: Will Browsers Be Required By Law To Stop You From Visiting Infringing Sites?

Having free and open-source tools and a decentralized way of fighting back and reclaiming some of that power is very important. Because if we don’t resist, we’re subject to what somebody else does to us

While Tor is useful in several situations, probably we shouldn't believe in it blindly. For clearnet, LibreWolf is a great option too, and I2P might be the future.

The Online Safety Bill, now at the final stage before passage in the House of Lords, gives the British government the ability to force backdoors into messaging services, which will destroy end-to-end encryption.

Requiring government-approved software in peoples’ messaging services is an awful precedent. If the Online Safety Bill becomes British law, the damage it causes won’t stop at the borders of the U.K.

Random thoughts...

Even if platform-assisted end-to-end encryption (pseudo e2e) is censored, perhaps we could still use true user-to-user encryption. If "end" means the messenger software itself or a platform endpoint, then the following will be true e2e - "pre-end" to "post-end" encryption:

1. Alice and Bob exchange their public keys. While using a secure channel for this is ideal, a monitored channel (e.g. a normal message app) is okay too for the time being.
2. Alice prepares her plain text message locally: Alice.txt
3. She does gpg -sea -r Bob -o ascii.txt Alice.txt
4. Alice opens ascii.txt, pastes the ascii string in it to her messenger, sends it to Bob like normally.
5. So Bob gets this ascii-armored GPG message, and saves it as ascii.txt
6. gpg -d -o Alice.txt ascii.txt, and he has the original Alice.txt
7. He types his reply locally (not directly on the messenger): Bob.txt
8. gpg -sea -r Alice -o ascii.txt Bob.txt and sends back the new ascii string
9. Alice gets it, so she does gpg -d -o Bob.txt ascii.txt to read Bob.txt

In theory, scanning by government-approved software can't detect anything here: Alice and Bob are simply exchanging harmless ascii strings. Binary files like photos can be ascii-armored too.

Admittedly this will be inconvenient, as you'll have to call gpg manually by yourself. But this way you don't need to trust government-approved software at all, because encryption/decryption will be done by yourself, before and after the ascii string goes through the insecure (monitored) channel.