Dash Security-Privacy Paper

tungfa

Administrator
Dash Core Team
Moderator
Foundation Member
Masternode Owner/Operator
Apr 9, 2014
8,895
6,723
1,283
Security-Privacy-Centric Solution For Anonymous DASH (Masternode) Local Wallet Based On Debian GNU/Linux, VirtualBox, Whonix GNU/Linux Including Tor And Tails
– VERSION 0.1.7 [2016-12-03] –




Please Download :
https://drive.google.com/file/d/0B_yZ4OC682XgS2JjN0pSdDFTcHM/view?usp=sharing
http://www.filedropper.com/securitypaperversion017
OnionShare is available - ping me direct for download link [email protected] / or tungfa on dashforum​

Author: Anonymous
This very extensive /detailed Security Paper was donated to us by an anonymous source, Core Team members double checked facts and approved for posting and public discussion.
https://www.dash.org/
http://dashorg64cjvj4s3.onion

Copyright:
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).
http://creativecommons.org/licenses/by-nc-sa/4.0/

Explanations/Links/Suggestions:

Always use a VPN Service / Safety/ Security 1st Step
What is a VPN:
https://en.wikipedia.org/wiki/Virtual_private_network
Recommended Services:
(pay in Dash)
BolehVPN https://bolehvpn.net
VikingVPN https://vikingvpn.com
QHoster http://www.qhoster.com
MultiVPN http://multi-vpn.co.uk/
AirVPN https://airvpn.org/


https://www.debian.org
What is ...


https://www.torproject.org
What is ...


https://tails.boum.org
What is ....


https://www.virtualbox.org
What is ...


https://www.whonix.org
What is ...


Dash Core Wallet on Linux:
https://www.dash.org/downloads/
What is ...
 
Last edited by a moderator:

studioz

Well-known Member
Sep 10, 2014
539
464
163
CANADA
dashbr.com
Security-Privacy-Centric Solution For Anonymous DASH (Masternode) Local Wallet Based On Debian GNU/Linux, VirtualBox, Whonix GNU/Linux Including Tor And Tails
– VERSION 0.1.7 [2016-12-03] –




Author: Anonymous
This very extensive /detailed Security Paper was donated to us by an anonymous source, Core Team members double checked facts and approved for posting and public discussion.
https://www.dash.org/
http://www.dashorg64cjvj4s3.onion/

Copyright:
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).
http://creativecommons.org/licenses/by-nc-sa/4.0/

Explanations/Links/Suggestions:

Always use a VPN Service / Safety/ Security 1st Step
What is a VPN:
https://en.wikipedia.org/wiki/Virtual_private_network
Recommended Services:
(pay in Dash)
BolehVPN https://bolehvpn.net
VikingVPN https://vikingvpn.com
QHoster http://www.qhoster.com
MultiVPN http://multi-vpn.co.uk/
AirVPN https://airvpn.org/


https://www.debian.org
What is ...


https://www.torproject.org
What is ...


https://tails.boum.org
What is ....


https://www.virtualbox.org
What is ...


https://www.whonix.org
What is ...


Dash Core Wallet on Linux:
https://www.dash.org/downloads/
What is ...
Top
 

demo

Well-known Member
Apr 23, 2016
3,114
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
Is the IP of a masternode hidden when someone tries to implements the guidelines of this paper?
How this paper solves the IPv4 reveal of the masternodes?
How masternodes recognise eachother via this scheme?
How can you be anonymous if you reveal your IP to a masternode service provider (MNSP)?
paper said:
"At first you have to contact a MNSP (usually register an account on a website). The provider will usually be paid in advance and takes full care of your MN for a certain amount of time (typically on a monthly basis) and is therefore responsible for the setup of a secure remote Linux server. You and the provider only have to exchange very few information, for example the IP address of the new server which will act as the new MN."
What the heck? What are they talking about? Is your real IP address consider as "very few information"?

My thoughts on this paper is negative, because the application layer and the network layer are not separated in DASH. TOR may allow your masternode to change its IP. But as long as TOR is slow, there is a sychronization problem between all masternodes that are behind TOR and the masternodes that are not. This will tear the network apart, and will lead to double spending issues e.t.c. So the above paper is not the anonymity solution you are searching for.

The protocol of dash should change first, and take into account all Masternodes that are behind TOR which may change their ip address in a rate of 5 times in a minute (the 5 is a randomly selected number that should be voted using numbers). You have to deal first with all sychronization problems that may appear (including the double spending issues!).

The above paper is a general anonymity paper and has a few thing to offer to the Masternodes anonymity problem.
 
Last edited:

t0dd

Active Member
Mar 21, 2016
150
132
103
keybase.io
Dash Address
XyxQq4qgp9B53QWQgSqSxJb4xddhzk5Zhh
....a bunch of stuff....
I don't know what it is, maybe a mental block(?) but demo... every post of yours is nearly incomprehensible to me. In this post... You are saying something about nodes behind tor would be too slow? (or could be too slow -- not sure if you tested this) Is that your criticism? I am having trouble understanding what you are actually trying to say.
 

demo

Well-known Member
Apr 23, 2016
3,114
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
I don't know what it is, maybe a mental block(?) but demo... every post of yours is nearly incomprehensible to me. In this post... You are saying something about nodes behind tor would be too slow? (or could be too slow -- not sure if you tested this) Is that your criticism? I am having trouble understanding what you are actually trying to say.
The dash protocol requires the masternodes to be sychronized. If some masternodes cannot communicate fast enough, then they are considered out of order. TOR transfer rates are low, so many TOR nodes (especially those who change their IPs often) they will be rejected by the DASH network due to the current DASH protocol.

We dont know and we cannot predict how fast or how slow the TOR network may become. So we have to define hardcoded numbers. How many times per minute a masternode is allowed to change its IP? What is the minimum masternode connection speed? Those numbers should be defined by voting using numbers. We should not let the core team to decide that numbers once and for ever, because the correct decision cannot be predicted. We should not also let the core team to be able to change these numbers at will, because this gives them a huge control over the network. If we allow these numbers to be voted, that way the masternode owners will define the optimum numbers that fit to the current state of the TOR network, and this will turn DASH network to as anonymous as it can be and to as fast as it can be.

All the above require protocol changes.
 
Last edited:

qwizzie

Well-known Member
Aug 6, 2014
1,581
737
183
Especially pay attention to those who confuse the truth, who try to distract, who try to mislead with full awareness and
who refuse to argue based on neutral facts but emotions instead simply not allowing any kind of logical
analysis which leads to the truth.”
I suggest we all take the time to digest this rather lengthy Security paper before making hasty comments (hasty comments like a particular person is already demonstrating in here)
 

t0dd

Active Member
Mar 21, 2016
150
132
103
keybase.io
Dash Address
XyxQq4qgp9B53QWQgSqSxJb4xddhzk5Zhh
The dash protocol requires the masternodes to be sychronized. If some masternodes cannot communicate fast enough, then they are considered out of order. TOR transfer rates are low, so many TOR nodes (especially those who change their IPs often) they will be rejected by the DASH network due to the current DASH protocol.

We dont know and we cannot predict how fast or how slow the TOR network may become. So we have to define hardcoded numbers. How many times per minute a masternode is allowed to change its IP? What is the minimum masternode connection speed? Those numbers should be defined by voting using numbers. We should not let the core team to decide that numbers once and for ever, because the correct decision cannot be predicted. We should not also let the core team to be able to change these numbers at will, because this gives them a huge control over the network. If we allow these numbers to be voted, that way the masternode owners will define the optimum numbers that fit to the current state of the TOR network, and this will turn DASH network to as anonymous as it can be and to as fast as it can be.

All the above require protocol changes.
Interesting. I can't really comment until I read... this 100+ page document though. Ugh.
 

demo

Well-known Member
Apr 23, 2016
3,114
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
Dont read it. It has nothing to do with masternodes anonymity. It is a general anonymity guideline. Read it only if you are interested in anonymity in general.

But if you are searching a solution for DASH anonymity of the masternodes, then reading this paper is a waste of time. Focus on the protocol of DASH, this is where the wrong (regarding anonymity) resides, and where the solution may be discovered.

Focus on my signature.
 
Last edited:

qwizzie

Well-known Member
Aug 6, 2014
1,581
737
183
VI. CONCLUSION AND FORECAST

The proposed solution closes the continuously rising security gap most people are exposed to while
working with cryptocurrencies and computers at all. This is achieved by the usage of carefully selected
software, a dedicated step-by-step guide build on top of a security-privacy-centric approach and the
compilation of lots of additional background information for further studying.

The main benefits are the use of free and open-source software. There is no need to work with and
thereby trust closed-source software with also a price tag attached just like Microsoft Windows or Mac
OS X, etc. Because the solution is based entirely on Debian GNU/Linux, a free Linux distribution and
other free and open-source software which are all actively developed and reviewed by the research
community distributed all over the planet.

In addition to the privacy features already implemented in the DASH cryptocurrency, the user will be
anonymous online which is an important fact (if additional important security rules such as not
providing personal information, etc. are satisfied continuously) in terms of anonymizing network traffic
over Tor protecting against traffic analysis. This is guaranteed as long as the user works with Whonix
and Tails which are pre-configured to connect to the Internet over Tor exclusively. Therefore data leaks
such as “user is connecting to the DASH network at date X, time Y and building connections with
DASH nodes K, L, M, ...” caused by very different reasons leading to fundamental violation of privacy
are reduced drastically. From now on the DASH software can be utilized anonymously because the user
even hides the fact that he/she is using the DASH software behind Whonix which routes all network
traffic over Tor. In NOT doing so it is obvious to an adversary to figure out very easily what websites
the user visits on a regular basis, which programs on the target's machine interact with the Internet and
more generally speaking in what the user is interested in at all over long time periods. Gathering all this
information together can be used to de-anonymize and to target a specific user very easily.

The new MN will help to further stabilize, increase the security, increase the decentralization and
expand the two-tier DASH MN network.
This is indeed a very detailed security paper that analyses pretty much anything Dash related
(it describes all the processes that are important to both users and masternode owners and it ranges
from wallet use, to protecting masternodes online, to protecting users online.... and much much more).

Interesting.
 
Last edited:

demo

Well-known Member
Apr 23, 2016
3,114
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
Conclusion
and then this follows.....
Install-and-forget solution: After finishing the setup of the new MN you can simply shutdown the computer, plug off the encrypted USB drive, store it somewhere safe and continue to work with your usual OS installed onto your computer. There is no need to take care of the new MN on a daily basis due to the outsourcing of this work to a third party. Anyway, you are strongly encouraged to support the DASH project by voting with your MN on specific long term decisions relating to DASH and its future.
So this paper proposes to give all the network responsibility to the Masternode Service providers!! If the masternode service providers are compromised, then the whole DASH masternode network is compromised! The fewer the MNSP are, the easier it is for the DASH network to be compromised and exposed.

Is this an advice that can be taken seriously? This paper may (or may not) solve the problem of the dash user anonymity. It has nothing to do with the problem of the masternodes anonymity. The advices the paper gives regarding masternodes anonymity are to the wrong direction.
 
Last edited:

qwizzie

Well-known Member
Aug 6, 2014
1,581
737
183
I wonder if the recommandations of this security paper could be used to form the core of new to be developed user-friendly hardware solutions, where security and privacy are central.
 

demo

Well-known Member
Apr 23, 2016
3,114
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
I wonder if the recommandations of this security paper could be used to form the core of new to be developed user-friendly hardware solutions, where security and privacy are central..
I dont think so. It is too complicated for a hardware solution. Too many software. The code used in hardware solutions has to be minimal and simple, in order to be secure.
 

qwizzie

Well-known Member
Aug 6, 2014
1,581
737
183
This guide does not provide sufficient information about the setup of a Masternode (MN) server itself,
for further information refer to the Dash Forum [https://www.dash.org/forum/topic/masternode-
guides.66/]. Anyway the result is an additional MN in the two-tier DASH MN network by outsourcing
the setup of a secure remote Linux server to a skilled third party, called the Masternode-service-
provider (MNSP).


The main part of this guide describes the download and verification process of all necessary files and
consequently the setup of a secure and private OS in order to store the 1000 DASH deposit for the new
MN in a reasonably secure environment.

In addition the solution is not limited to the setup of a DASH MN local wallet exclusively. It is also
designed for a standard DASH local wallet setup (with no intention to setup a MN at all) or any other
cryptocurrency supporting the proposed solution.
Reluctantly i have to agree with demo that this part does needs more discussion and risk evaluation.
On the other hand it reminds me of how masternode hosting providers like node40 emerged and claimed part of Dash ecosystem.
These MNSP's could be considered a logical extension on that .. or not.
 
Last edited:

halso

Active Member
Apr 27, 2016
439
235
113
Sydney, Australia
Perhaps someone should test the proposed solution. A lot of talk and speculation. Presumably the author has already tested it?

@demo, do you fancy giving it a go? I'll pay you your very first dash.
 

demo

Well-known Member
Apr 23, 2016
3,114
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
Perhaps someone should test the proposed solution. A lot of talk and speculation. Presumably the author has already tested it?

@demo, do you fancy giving it a go? I'll pay you your very first dash.
The solution obviously works because it is nothing else but recommendations of software packages the author believes that they are secure.
The author suggests for all to try this solution by themselves, he is not suggesting for me demo to try the solution on behalf of another.
 

tungfa

Administrator
Dash Core Team
Moderator
Foundation Member
Masternode Owner/Operator
Apr 9, 2014
8,895
6,723
1,283
i ad a 2nd download link
http://www.filedropper.com/securitypaperversion017

as i imagine google might not be too popular :rolleyes:

if anybody has a tip where in the onion world i could post this as a Tor Download link please let me know
(but file sharing/hosting does not really work down there due to speed issues)
I have OnionShare installed - ping me direct for download link
 
Last edited:

GrandMasterDash

Well-known Member
Masternode Owner/Operator
Jul 12, 2015
2,739
977
183
Page 7

"There's an entry point in the [Bitcoin] ecosystem and usually the identity of that person is known at that point and then once you get your money into the ecosystem you have a public ledger and all of the transactions that you do are completely available for anyone to look at. And what we're getting to with technology in the Bitcoin ecosystem is where anyone with enough computing power can go through and try to correlate all these addresses and figure out who's doing what and who's transferring money to who and then eventually sell that data which is a gross invasion of privacy. And I would rather get everyone more privacy rather than take it away from everybody because it's really you can only give it to everybody or you have to take it away from everybody in a system like this. And I know that there are going to be things that happen in the ecosystem that are illegal and this is just part of having rights. We have the right to privacy and some people will abuse that and I think there's a fine line to walk but we have to acknowledge that we want these rights and there's gonna be money like this that is on the Internet where everyone can see everything that's going on and I would rather [want] that money have an attribute of privacy for everybody useful."

Page 9

"The challenge of the new cypherpunk movement is to make secure and verified end-to-end encryption accessible to everyone, and turned on by default."

A privacy-first MN network "turned on by default"... good enough for MNs then it's good enough for end-users. Vote Yes for privacy-first.
 

tungfa

Administrator
Dash Core Team
Moderator
Foundation Member
Masternode Owner/Operator
Apr 9, 2014
8,895
6,723
1,283
Last edited:
  • Like
Reactions: bhkien

GrandMasterDash

Well-known Member
Masternode Owner/Operator
Jul 12, 2015
2,739
977
183
Get with it.. it's been decided that dash doesn't need a privacy-first or "Privacy-Centric" solution.