05:57:27 <knaccc> Very nice work on the interview guys. My short list of interesting things that were mentioned:
05:57:29 <knaccc> 1. "some exchanges share voluntarily, most do not, so there is an art to that"
05:57:31 <knaccc> 2. "ip address information is used" -> perhaps they use isp monitoring to assist?
05:57:33 <knaccc> 3. they are sending poisoned outputs to mount active attacks
05:57:35 <knaccc> 4. They didn't explicitly say they spam the blockchain with txs to reduce anonymous decoys available. But I would not be surprised if they send a burst of fake txs immediately after a tx of interest, to reduce the chances of a churned tx then sourcing good decoys
05:58:33 <knaccc> if ISPs are assisting, then you can know when certain wallets jump online and make txs, if people only sync their wallets when about to send or receive a tx
06:10:30 <fluffypony> might be time to consider some sort of automated background churn
06:11:53 <fluffypony> I wonder if churn txs could be constructed in advance without waiting for the balance to become available, and the node they're sent to could just wait until they're spendable, or if that would mess up the output selection distribution (since it wouldn't be able to select more recent outs)
06:12:13 <fluffypony> but maybe not selecting outs from the most recent few blocks isn't a bad thing
06:15:35 <knaccc> i've been looking at "forward anonymity set sizes", meaning after an output is received, how many txs on the blockchain will end up directly or indirectly referencing those outputs
06:15:42 <knaccc> and the results are good over significant periods
06:15:57 <knaccc> but if churn is automated such that it happens quickly, it's not so good
06:16:08 <knaccc> here are the stats I just ran on 10 random outputs from July:
06:16:17 <knaccc> outputIds: [19584417, 19592166, 19583074, 19577487, 19588150, 19599373, 19578981, 19571263, 19594080, 19589986]
06:16:19 <knaccc> observ. period (hours): 1, fwd tx anon set:      1,     0,     2,     4,     1,     0,     1,     0,     4,     3
06:16:21 <knaccc> observ. period (hours): 2, fwd tx anon set:      3,     8,     8,    15,    12,     6,     6,     0,    60,    13
06:16:23 <knaccc> observ. period (hours): 3, fwd tx anon set:     13,    89,    46,    70,    99,    42,    20,     0,   309,    72
06:16:25 <knaccc> observ. period (hours): 4, fwd tx anon set:     94,   323,   260,   294,   378,   186,   100,     4,   729,   252
06:16:27 <knaccc> observ. period (hours): 5, fwd tx anon set:    386,   840,   555,   721,   815,   588,   386,    22,  1416,   841
06:16:29 <knaccc> observ. period (hours): 6, fwd tx anon set:    824,  1576,   959,  1168,  1281,  1044,   750,   115,  2048,  1402
06:16:31 <knaccc> observ. period (hours): 12, fwd tx anon set:   4317,  4855,  4357,  3914,  5189,  3937,  3563,  2531,  5250,  5179
06:16:33 <knaccc> observ. period (hours): 24, fwd tx anon set:  10765, 10546, 11150, 11097, 11174,  9735, 10700,  9536, 10886, 10935
06:16:35 <knaccc> observ. period (hours): 48, fwd tx anon set:  22221, 22521, 22480, 22745, 22839, 22670, 22345, 21656, 23312, 22676
06:16:37 <knaccc> observ. period (hours): 96, fwd tx anon set:  49754, 49763, 49942, 49717, 50276, 49118, 49446, 47691, 50150, 49792
06:17:12 <fluffypony> ok so churn has to be automated, but the wallet has to be open so that it can do so intelligently?
06:17:30 <fluffypony> s/has to/can be
06:17:30 <monerobux> fluffypony meant to say: ok so churn can be be automated, but the wallet has to be open so that it can do so intelligently?
06:17:37 <fluffypony> good bot
06:17:43 <knaccc> yeah churn would need to happen automatically over longer periods than just "6 churns in 6 hours"
06:19:18 <knaccc> but if we recommend churns, this causes a blockchain bloat problem, and a wallet scanning time problem
06:20:09 <knaccc> See "The wallet scanning-time problem quantified" here: https://github.com/monero-project/research-lab/issues/75#issuecomment-663935804
06:20:17 <knaccc>  If the transaction volume were to increase 30x from here, it would take 86 hours per year of transactions scanned""
06:20:48 <knaccc> so churning would help accelerate the increase in tx volume times, and wallet scanning times would be a major problem
06:21:44 <knaccc> s/in tx volume times/in tx volume
06:21:44 <monerobux> knaccc meant to say: so churning would help accelerate the increase in tx volume, and wallet scanning times would be a major problem
06:24:53 <knaccc> sooner or later, we're going to need to take the wallet-scanning-time issue seriously
06:30:50 <sech1> I've watched the whole interview and honestly I'm disappointed. The CEO Dave has unique ability to say a lot of words without disclosing a bit of information. He basically said they use "all known methods" and do use poisoned outputs.
06:31:22 <sech1> Plus they do flag benign transactions if they happen to use wrong ring members, what a joke
06:32:40 <knaccc> all of the interesting attacks on monero involve using off-chain information, and the extent of that information will be the extent of their ability to trace
06:33:30 <knaccc> so we can't just dismiss this by talking about how ring signatures are great.
06:34:47 <knaccc> or by saying "nothing new here". if anything, if this is nothing new, and it's a problem we've known about, we need to fix it and provide proper usage guidance, instead of just saying "yeah we did an episode of Breaking Monero about that, old news"
06:47:34 <sech1> Not much we can do against guys who willingly want to paint benign transactions as tainted
06:48:00 <sech1> but yes, people should be more aware of best usage practices
06:48:33 <knaccc> yeah i don't have much confidence in his claim of being able to mark txs as involving tainted funds
06:48:40 <knaccc> that seems a bit ridiculous
06:49:27 <Inge-> it is COMPLETELY arbitrary
06:52:54 <knaccc> what would make more sense is if they were doing this: exchanges might not generally be willing to share all tx data, but i can see them being willing to notify a tracing company if they encounter any txs (in the past or future) that reference a certain output
06:53:38 <knaccc> and then share customer info only on those occasions
06:53:46 <knaccc> maybe just account ids at first
06:54:03 <knaccc> but if there is a pattern with certain account ids, they could easily be asked to then disclose more
06:54:58 <knaccc> so their system would be a tool to get exchanges to disclose information they would not do so in a blanket fashion, and that would account for his statement that there is an "art" to getting exchanges to disclose info
06:56:00 <knaccc> as long as they can claim a possible connection, even if they're wrong 95%+ of the time, that'd be enough to extract enough useful info to refine their tracing
07:34:49 <knaccc> another stat: I took 1000 random outputs from July, and observed that 309  of them were not then referenced in further txs within an hour
07:34:59 <knaccc> so higher ring sizes could help with that perhaps
07:39:53 <knaccc> 141 of 1000 not referenced within 2 hours
07:41:48 <needmoney90> higher ring sizes or a larger amount weighted forwards
07:42:03 <needmoney90> but higher ring sizes should be manageable atm
07:42:18 <knaccc> good point, yes i like the idea of a 'hot zone' where we try and make sure everything gets picked up multiple times
07:43:54 <dEBRUYNE> I suppose Triptych (or variant) will take care of that
09:14:18 <Mochi101> Thanks sarang and sgp_ for the YT interview with Ciphertrace.
13:14:59 <gingeropolous> <knaccc> or by saying "nothing new here". if anything, if this is nothing new, and it's a problem we've known about, we need to fix it and provide proper usage guidance, instead of just saying "yeah we did an episode of Breaking Monero about that, old news" >>> yeah, this sorta feels similar to when MRL001 indicated we needed bigger ringsizes, or something
13:15:18 <gingeropolous> and then someone called us out, and the response was "well we knew about it"
13:21:04 <gingeropolous> so ringsize a bajillion?
13:25:34 <knaccc> ringsize 100k does solve the probem
13:26:01 <gingeropolous> ok, what're the numbers on that puppy.
13:26:35 <gingeropolous> processing times, sizes, etc.
13:47:28 <sgp_> too big 4 u
14:42:44 <sgp_> I'm putting together this document to send to CipherTrace this AM with some more specific questions. Please add questions if you have them, but of course take extra effort to keep them professional: https://monero.sandcats.io/shared/QVo56B5-M76D88sArgVBbjnaJVltp7562CUuUsY3Nbc
14:44:06 <sarang> Also please review the questions that are already there
14:44:34 <knaccc> are they willing to take the time to write up an essay in response? i'd imagine it'd be much easier to get it out of a phone call
14:44:43 <sarang> I don't have any reason to believe CipherTrace would be dishonest in their answers, but I also don't have any reason to believe they'd go out of their way to provide details (they aren't obligated to answer any of these!)
14:45:20 <sarang> I'd be glad to ask them on a call if they prefer, sure
14:47:37 <knaccc> i'd just imagine it's easier for a human to spend 20 mins on the phone with you than spend 20 mins writing an essay
14:48:48 <sarang> On the other hand, Dave might not want his technical staff to answer directly without some kind of vetting of the responses and questions
14:49:32 <knaccc> true
14:50:22 <sarang> Who knows; might as well provide written questions and offer to discuss however they wish (if they choose to discuss at all)
15:00:19 <sarang> I have added/updated questions
15:35:23 <sgp_> questions sent, thanks
15:35:40 <sarang> neat
15:43:30 <gingeropolous> well, even if too big, would be nice to know what the "cost of ideal", and see how we can make successive approximations
15:55:25 <caos> If what they are saying is true what should we do to protect our privacy?
15:56:22 <sarang> TBH it's not entirely clear to me _what_ they're saying at this point, even after the interview
16:01:18 <caos> How can they claim it? "This provides ways to track stolen Monero currencies or Monero currencies used in illegal transactions". I'm thinking that it could be a snowball attack
16:01:40 <sarang> What do you mean by "snowball attack"?
16:03:42 <caos> The attack described on Breaking Monero 09 https://www.monerooutreach.org/breaking-monero/poisoned-outputs.html
16:04:17 <sarang> Oh, examining transaction paths between known endpoints?
16:04:25 <sarang> That becomes a graph matching and probability problem
16:04:38 <sarang> If I were them, that's probably a technique that I would use where applicable
16:04:39 <caos> Maybe they got the majority of decoys tho
16:43:11 <sgp_> There's a new set of ECC releases about "Halo 2." New sample code
16:43:21 <sgp_> https://electriccoin.co/blog/ecc-releases-code-for-halo-2/
16:44:14 <sarang> Interesting; they switch from Sonic to PLONK
16:45:05 <sarang> I would view the deployment timeline with raised eyebrows, but who knows
16:46:27 <sarang> Now to see benchmarks!
17:04:56 <dEBRUYNE> That timeline seems a tad optimistic
17:05:47 <sarang> Eh, it's a press release
17:05:53 <sarang> Following the code will be far more interesting
17:06:16 <sarang> It's neat research
17:07:08 <dEBRUYNE> Were you able to find some benchmarks?
17:08:05 <sarang> I'm still perusing
17:08:14 <sarang> The post is a little confusing
17:08:32 <sarang> It seems to imply that PLONK support is not there yet, but there is PLONK-related code in the repo
17:09:25 <sarang> Hmm, commit messages imply some stuff may still be broken, so I dunno
17:09:46 <sarang> Doesn't appear to be any benchmarking just yet
17:09:53 <sarang> Would depend on circuit structure, presumably
17:10:12 <sarang> and if they intend to deploy, they'd need it to scale to something the size of the Sapling/Heartwood/etc. circuit
17:55:27 <sgp_> I'm told the questions have been forwarded
17:55:44 <sethsimmons> Hopeful for at least some basic responses, but the more the merrier
17:58:46 <sarang> Forwarded to whom? The people on Dave's team who build the tools?
17:59:13 <sarang> I have set my expectations low (they are a company, after all), but hope to be pleasantly surprised :D
18:44:49 <midipoet> I think it's pretty obvious what they do though isn't it?
18:44:54 <midipoet> It's known attack vectors
18:44:59 <midipoet> There isn't anything new
18:45:13 <midipoet> Is it just confirmation that we are wishing for
18:45:23 <midipoet> So we discredit the efficacy of it
18:45:27 <midipoet> And the accuracy
18:45:38 <sarang> In the interview, it was implied that the technique involved many known methods, but also some kind of unknown sauce
18:45:51 <sarang> Without justification or evidence or details, it's not possible to verify any of this
18:49:02 <midipoet> The unknown sauce is just spamming the network
18:49:13 <midipoet> That is not documented in any research, is it?
18:49:25 <needmoney90> no, I think they mean sending users txes
18:49:25 <midipoet> No formal research anyways?
18:49:27 <needmoney90> not network spam
18:49:36 <needmoney90> for later recombination
18:49:55 <midipoet> known suspects?
18:50:12 <sarang> There's no way to know what they do
18:50:12 <midipoet> What users?
18:50:22 <sarang> They might have been telling the truth, stretching it, or being dishonest
18:50:35 <sarang> Designing with any claims in mind that have no evidence is foolish anyway
18:50:51 <sarang> The interview is all self-reported data
18:52:23 <sarang> Whether or not they actually have a product that does what they have implied/claimed, they have absolutely succeeded at spreading the news about these implications/claims
19:03:02 <Isthmus> Hmm, what if we put together a CCS to become a CT customer, so that we can analyze its capabilities
19:03:11 <Isthmus> I'm sure MRL could have a field day testing their abilities
19:03:48 <Isthmus> And it'd be a good investment. We're currently fighting blind in an arms race
19:08:40 <needmoney90> "Monero community funds chain analysis companies"
19:09:53 <sarang> Well, not so much fighting, as having someone else write a letter saying they have powerful tools
19:10:20 <needmoney90> they have the best tools
19:10:25 <needmoney90> some very smart people told them
19:10:26 <needmoney90> the smartest
19:10:53 <sarang> I think it's important not to blindly discount the potential risks of the protocol, but also important is: https://en.wikipedia.org/wiki/Hitchens%27s_razor
19:10:54 <monerobux> [WIKIPEDIA] Hitchens's razor | "Hitchens's razor is an epistemological razor expressed by writer Christopher Hitchens. It says that the burden of proof regarding the truthfulness of a claim lies with the one who makes the claim; if this burden is not met, then the claim is unfounded, and its opponents need not argue further in order..."
19:11:01 <sarang> good bot
19:13:47 <midipoet> Isthmus: that is a good idea I think. There is no reason the community couldn't buy the analysis tool
19:14:07 <midipoet> it makes perfect sense to
19:14:17 <sarang> There would 100% be an NDA
19:14:23 <midipoet> Sure
19:14:28 <sarang> and Big Fancy Legal Theats for violating it
19:14:38 <midipoet> sure
19:14:47 <sarang> I am not interested in talking to lawyers about this
19:14:55 <sarang> that sounds like months of your life you don't get back
19:15:14 <midipoet> Every month we don't get back
19:15:21 <midipoet> Might as well smile along the way
19:15:39 <sarang> I'm saying "buying" the tools doesn't work
19:15:58 <sarang> You'd probably send them some txns, and get some data back, but are under strict NDA about not sharing them anyway
19:16:11 <sarang> So unless you want to tangle with expensive lawyers, you gain nothing
19:16:47 <sarang> And if you do want to tangle with expensive lawyers, you have strange ideas of fun...
19:17:42 <midipoet> oh. I forgot the AaaS
19:17:50 <sarang> ?
19:17:53 <midipoet> Analysis as a Service
19:17:55 <sarang> aye
19:18:07 <sarang> I don't know this is how it works, but it is my assumption
19:18:24 <sarang> I would be super surprised if they just shipped you the whole damn tool
19:18:45 <sarang> That seems terrible for business
19:19:02 <sarang> Maybe you get some kind of viewing interface for your particular case
19:19:07 <sarang> But still can't share anything under NDA
19:19:40 <midipoet> Oh no. I wouldn't share my transaction information. That would be silly
19:22:06 <sarang> And another brief reminder that sgp_ and I did write specific technical questions that were sent to Dave Jevans earlier today
19:22:12 <sarang> They may respond with details, and they might not
19:22:41 <sarang> But I am certainly willing to give them the professional courtesy of a few days to respond, should they choose to
19:54:26 <knaccc> i have some interesting stats
19:54:45 <knaccc> let's say you pick 100 pairs of outputs at random from the blockchain, where those outputs were created within 7 days of each other
19:54:59 <knaccc> and all pairs were created during or after Jun 2020
19:55:27 <knaccc> how many of those randomly picked pairs will be spent together, by chance, at some point in the future?
19:55:34 <knaccc> the answer: merges detected: 0 of 100 for 2 poisoned outputs
19:56:06 <knaccc> i'm running it again now to do the analysis again for 1000 random pairs, but it takes quite a while
19:56:10 <knaccc> next question:
19:56:33 <knaccc> what if users churned each output in each random pair, prior to merging?
19:56:33 <needmoney90>  wait, 0 of 100 means it would be very detectable?
19:56:48 <needmoney90> so 'this would not happen by random chance'?
19:56:55 <knaccc> exactly, the false positive rate is near 0%, so the spend is ultra-high probability
19:57:26 <needmoney90> So this is effectively iterated EAE, right?
19:57:36 <needmoney90> to clarify.
19:57:37 <knaccc> yes. so now we look at merges detected for each random pair, during different levels of churn
19:57:43 <knaccc> churn window (hours): 24
19:57:45 <knaccc> merges detected: 1 of 10 for 2 poisoned outputs at churn level: 1
19:57:47 <knaccc> merges detected: 0 of 10 for 3 poisoned outputs at churn level: 1
19:57:49 <knaccc> merges detected: 0 of 10 for 4 poisoned outputs at churn level: 1
19:57:51 <knaccc> merges detected: 0 of 10 for 5 poisoned outputs at churn level: 1
19:57:53 <knaccc> merges detected: 0 of 10 for 6 poisoned outputs at churn level: 1
19:57:55 <knaccc> merges detected: 10 of 10 for 2 poisoned outputs at churn level: 2
19:57:57 <knaccc> merges detected: 8 of 10 for 3 poisoned outputs at churn level: 2
19:57:59 <knaccc> merges detected: 1 of 10 for 4 poisoned outputs at churn level: 2
19:58:01 <knaccc> merges detected: 1 of 10 for 5 poisoned outputs at churn level: 2
19:58:03 <knaccc> merges detected: 0 of 10 for 6 poisoned outputs at churn level: 2
19:58:05 <knaccc> merges detected: 9 of 10 for 2 poisoned outputs at churn level: 3
19:58:07 <knaccc> merges detected: 10 of 10 for 3 poisoned outputs at churn level: 3
19:58:09 <knaccc> merges detected: 10 of 10 for 4 poisoned outputs at churn level: 3
19:58:11 <knaccc> merges detected: 10 of 10 for 5 poisoned outputs at churn level: 3
19:58:13 <knaccc> merges detected: 3 of 10 for 6 poisoned outputs at churn level: 3
19:58:15 <knaccc> ok so i'll explain this:
19:58:20 <needmoney90> it explains itself
19:58:32 <needmoney90> :D
19:58:44 <knaccc> so what happens if someone churns n outputs independently inside a 24hr window
19:58:49 <needmoney90> If you want to get effective privacy off of up to 5 outputs, churn 3 times and you're good
19:58:57 <needmoney90> within the same window
19:58:59 <knaccc> how many random sets taken from the blockchain show false positives
19:59:11 <knaccc> and yes the false positive rate can get really good
19:59:30 <knaccc> but the problem is you get no false positives if you simply increase the poisoned output count
19:59:56 <needmoney90> nah
19:59:58 <knaccc> but you also get higher false positives if you simply increase the number of churns
20:00:04 <needmoney90> you havent run the numbers far enough
20:00:11 <knaccc> what should i run
20:00:17 <needmoney90> Its a growth rate thing
20:00:29 <knaccc> well the thing is, you can get complete anonymity if you churn enough
20:00:32 <needmoney90> poisoned outputs are linear
20:00:38 <needmoney90> churns are exponential
20:00:57 <knaccc> right, so you can always beat any number of poisoned outputs if outputs are churned enough, i think
20:00:58 <needmoney90> I suspect if you push churns to like, 8, and poisoned outputs to 30, you'll be surprised at the result
20:01:11 <needmoney90> 'enough' is something like a log on the number of outputs
20:01:15 <needmoney90> its not a linear growth thing
20:01:28 <knaccc> there is a churn level where the anonymity set size starts to become "everything"
20:01:29 <needmoney90> at least, I suspect.
20:01:39 <needmoney90> Try 30 poisoned, 8 churn.
20:02:10 <knaccc> 8 churn probably way too high to do in reasonable time
20:02:21 <knaccc> i'll try 30 at 6 churn
20:02:27 <needmoney90> ok
20:02:51 <needmoney90> 3 is just starting to scrape exponentials
20:03:04 <needmoney90> 6 it should really kick in
20:03:10 <needmoney90> 8 is prolly overkill tbh
20:03:25 <sgp_> 30 is a huge number of poisoned outputs
20:03:41 <needmoney90> Yes, but my mental model is telling me that scaling it up that far wont be too bad here
20:03:46 <sgp_> are these 6 churns of the poisoned outputs independently?
20:03:48 <needmoney90> idk
20:03:59 <needmoney90> 30 is a lot
20:04:01 <needmoney90> maybe 20?
20:04:06 <needmoney90> still a lot, but heh
20:04:06 <sgp_> and then after the 6 churns is there a merge?
20:04:11 <knaccc> right
20:04:21 <needmoney90> idk why the rec isnt just to merge them all, then churn
20:04:30 <knaccc> it's detecting false positives for merges after 6 churns
20:04:37 <sgp_> needmoney90: depends on the threat model
20:04:39 <needmoney90> 'ah, they merged their outs right here! Aha! And then got lost in the crowd...'\
20:04:47 <knaccc> so if you're really churning and merging, what is your anonymity set essentially
20:04:51 <sgp_> if the treat model assuming 30 payments to 1 address, then yes fine to churn right away
20:04:56 <knaccc> what does it look like is happening by chance
20:05:37 <sgp_> if 30 payments to an unassociated entity, then maybe churn separately if the address identities are supposed to stay separate
20:06:26 <sgp_> knaccc: what does it mean by merges detected then? how is this a static yes/no? does the model guess, and then if correct against ground truth, then say it's detected, no if not?
20:06:40 <knaccc> i might not be able to test anything approaching these numbers, actually. it's really slow
20:08:19 <knaccc> sgp_ we're essentially asking: if we pick 2 outputs on the blockchain, and then follow the forwards-in-time anonymity set N levels, does it look like there is ever a transaction afterwards that spends any two outputs together where each of those two outputs are from each of those forward-anonymity-sets
20:09:21 <knaccc> so it's asking what % of other random output pairs on the blockchain look like they might have been churned N times and then merged so that someone could cash out
20:09:51 <sgp_> don't you need to know what the user behavior will look like to test how many possible paths there are?
20:10:05 <sgp_> you don't know an arbitrary user churns x times specifically
20:10:46 <knaccc> i'm asking, at each level of churn, what will their cover be in terms of other outputs that could also look like they were churned and merged the same way
20:11:04 <knaccc> the answer after a direct merge is almost no anonymity
20:11:21 <knaccc> and the anonymity grows with churn distance from the original outputs
20:11:48 <sgp_> just to be extremely clear, can you show how the anonymity is near 0 for a direct merge? I want to follow your application to this design
20:12:07 <knaccc> so with the simple 2 outputs chosen at random then a direct merge, i've just rerun it with 1000 random pairs
20:12:11 <knaccc> and there are merges detected: 6 of 1000 for 2 poisoned outputs
20:12:48 <knaccc> so a 0.6% chance that a direct merge (like in the Ciphertrace example) could have been spent together by chance
20:14:53 <sgp_> so do you look at 1000 random output pairs and see if they appear in an immediate transaction with one of these outputs in each ring?
20:15:36 <knaccc> right, i look from the time of creation to present day
20:15:48 <knaccc> and all pairs were created Jun 2020 or after
20:16:37 <sgp_> okay, so given the shortened timeframe, the test may be slightly less reliable if we chose outputs including those 4 years ago? or at least that intuitively makes sense to me
20:17:21 <sgp_> well, assuming the ringsizes were always 11 I guess. maybe since that point for simplicity
20:17:38 <sgp_> in any case, that doesn't really matter, just trying to make sure I understand it
20:17:46 <knaccc> yeah you understand perfectly i think
20:18:24 <sgp_> so for 1 churn does that mean an immediate merge, or a merge within 2 transactions total?
20:18:51 <knaccc> 0 churns means merge after outputs received
20:19:08 <sgp_> okay, so 1 churn = 2 transactions total
20:19:11 <knaccc> 1 churn means both outputs churned independently after being received, then merged
20:19:24 <sgp_> sorry, your wording is clearer
20:19:32 <knaccc> going to 1 auto churn makes things much better:
20:19:34 <knaccc> merges detected: 31 of 100 for 2 poisoned outputs at churn level: 1
20:19:56 <knaccc> so we can massively improve monero's privacy with just one level of autochurn
20:19:57 <sgp_> and I assume you're using real Monero blockchain data for this then to test
20:20:00 <knaccc> correct
20:20:28 <sgp_> so to test arbitrary ringsizes it would take a lot of work to make a fake blockchain
20:21:26 <knaccc> when constructing the blockchain graph, extra outputs could be added as decoys to simulate it
20:21:44 <sgp_> hmm, that could be super useful actually. very clever too
20:21:46 <knaccc> and care would need to be taken to apply the correct selection distribution
20:22:03 <sgp_> of course
20:22:41 <sgp_> so now walking through the results you posted, for example this line:
20:22:42 <sgp_> merges detected: 1 of 10 for 2 poisoned outputs at churn level: 1
20:22:48 <knaccc> the problem though is still that the more iterations, the less churn helps you, unless you are churning many times more than once, in which case churn is a panacea
20:22:51 <sgp_> what does 1 of 10 mean?
20:23:23 <knaccc> that means of 10 random pairs chosen, 1 merge was detected at churn level=1
20:23:34 <knaccc> so 10% false positive rate
20:23:46 <knaccc> that you can hide in
20:24:45 <knaccc> the problem is that if you have 10 poisoned outputs instead of 2, then:
20:24:47 <knaccc> merges detected: 0 of 100 for 10 poisoned outputs at churn level: 1
20:25:04 <sgp_> can this be interpreted as 10% of the time, a "fake" merge of these 2 poisoned outputs occurs?
20:25:14 <knaccc> right
20:26:29 <knaccc> so essentially you need to look at how often you plan on transacting
20:26:44 <knaccc> and set churn level accordingly
20:27:05 <knaccc> and if you plan on transacting more than a few times, suddenly you need to go all the way up to churn level 6 or so
20:27:14 <sgp_> are these 10 random pairs selected from the 1000 earlier somehow?
20:27:25 <sgp_> or is this a completely independent test?
20:27:57 <knaccc> always independent
20:28:27 <sgp_> why only select 10 random pairs then?
20:30:09 <knaccc> because it takes a really long time to run. i'd select 1000 if i could
20:30:26 <sgp_> got it
20:30:49 <sethsimmons> Super interesting stuff knaccc just finished reading backscroll
20:30:54 <sethsimmons> Thanks for crunching the numbers :)
20:31:05 <knaccc> np, i kinda got addicted to it
20:31:13 <sgp_> I assume the time to run increases substantially with each churn more than it does each pair?
20:31:39 <knaccc> yeah, it's already super-optimized by not talking to the daemon. it loads everything into memory and then darts around
20:31:48 <knaccc> but still it takes time
20:31:57 <sgp_> how much memory does that take lol
20:32:15 <knaccc> only about 500mb, it only loads the essentials of the graph
20:32:51 <knaccc> my recent code is only really good for low churn levels. i have different code that looks at anonymity set sizes for transactions generally
20:33:09 <knaccc> =========================================================================================================================
20:33:11 <knaccc>  Anonymity set sizes for txs in block 2177013 for observation window size: 7 days
20:33:13 <knaccc> =========================================================================================================================
20:33:15 <knaccc>                                                              txid |  Level=1 |  Level=2 |  Level=3 |  Level=4 |  Level=5
20:33:17 <knaccc> ------------------------------------------------------------------|----------|----------|----------|----------|----------
20:33:19 <knaccc>  fe39a21b57814a980aea6d69fe8ab9cad609713b84d9c09f97e4b8cf74580e5b |        9 |      100 |    1,942 |   29,205 |  187,841
20:33:21 <knaccc>  75cbf8e6805f0417c5f6160c47ca9db701e74f8583d33135f60dadf9ee1e3c6c |        6 |       66 |    1,119 |   17,488 |  146,782
20:33:23 <knaccc>  ffa60ba1161b700efd8effe7a85fd3e93a7b08c2f9f0e3adb0ede229458b80b1 |        9 |      119 |    1,643 |   22,785 |  166,487
20:33:25 <knaccc>  0b76935fa6b22da2e1baf41a8e9371dbf0ff727ebfe84928412179c8567e7774 |       11 |      147 |    2,180 |   31,761 |  191,051
20:33:27 <knaccc>  d74e2ceb424abab0baaf9e3c6a9695cd08bff69c7ca8539a4bffe61c933e8a05 |        7 |       81 |      967 |   13,891 |  130,696
20:33:29 <knaccc>  12b4af06464c29171f9ae857200ef343c7c3115ace8b2e78c528245330c86850 |        9 |      106 |    2,041 |   29,293 |  185,865
20:33:31 <knaccc>  e9f0eab46edded095f9c5a2726b4e4610df3b98391730b2862c98058a362be2b |       11 |      200 |    3,353 |   46,762 |  210,115
20:33:33 <knaccc>  1a223fd2c6ed9c64b1cd7e73370b93975edc89373f7ad8caab1cf601a9221948 |        8 |       97 |    1,401 |   18,670 |  139,589
20:33:35 <knaccc>  ea012a8bf1898cd7f100257bb699696450dbfb8351599801689c8cba3e168e1d |        8 |       87 |    1,252 |   18,160 |  151,164
20:33:37 <knaccc>  4a0b235f1e9f34d4a1adf185bdb0f4224c4925a2d3a4c5cfc736e46a3ff9cd44 |        7 |      416 |    7,149 |   86,880 |  235,023
20:33:39 <knaccc>  c001acce972fb25d88b4b7ec524baf40c2512538137733fd69d661c72706577c |        7 |       96 |    1,471 |   21,017 |  163,831
20:33:41 <knaccc>  824e016ab77108e808f706f2a3af95b949e23f5f7a6f8a182a893f2cf6cdd989 |        7 |      160 |    2,395 |   35,394 |  202,839
20:33:43 <knaccc>  771d4db8b4f7eecf7e4914acb1264a34842a057480625498f270b2d1d2971053 |        9 |      167 |    2,863 |   40,307 |  208,096
20:33:45 <knaccc>  207ca5090bb382e441820a21e807e22028d5f6970210c7df604d6b83236185db |        8 |       74 |      923 |   13,672 |  130,121
20:33:47 <knaccc>  2398a80e742070504123dde6057b9711492d64c22928abd80079459837322c3b |        7 |      204 |    3,404 |   48,961 |  219,691
20:33:49 <knaccc>  155e8c8c03e699c337e241232ec18bed9a155d923d33c6c19835a0ff3fdc3a82 |        9 |      196 |    2,927 |   39,841 |  208,513
20:33:51 <knaccc>  46f1e03ed2c1ca6ea075956bf123a48f1ad8ea0b26ab6b8bc707076ab4dfc422 |        8 |      110 |    2,054 |   28,871 |  183,053
20:33:53 <knaccc>  f164ca136b28611edef5c9939a882dd473b8d47772734d3cc2132beb720efab9 |       10 |      255 |    3,677 |   49,390 |  217,902
20:33:55 <knaccc>  a667874ccf43f27fc4c56b5142d3b9137c450f1c86f27f1d63c695c943c09713 |        8 |      129 |    2,075 |   33,952 |  195,938
20:33:57 <knaccc>  d2585dfc318f3bcb97f4d9ac1d11cfd120186383d7591d7f8611ef8ec011b749 |        5 |       68 |      912 |   13,995 |  130,375
20:33:59 <knaccc>  e05287eea35d42cdf4adae65da54183f566b8d5d693c5772c6474ff7d90d8539 |        9 |      191 |    2,958 |   43,535 |  202,102
20:34:01 <knaccc> so you can see anonymity set sizes exploding
20:34:03 <knaccc> level 6 or 7 should be enough for anyone to get perfect anonymity
20:34:21 <knaccc> but of course, if we tell people to do that, it'll spam the blockchain, increase wallet scanning times to unacceptable levels, and people will get annoyed at how long they have to wait for the churns
20:35:14 <knaccc> hmmm actually that output looks a bit broken
20:35:18 <knaccc> i might have messed something up
20:35:23 <UkoeHB_> paste as code snippet?
20:35:27 <knaccc> level 11 normally look like multiples of 11
20:35:32 <knaccc> level=1 i mean
20:35:46 <sgp_> anonymity set sizes, defined how?
20:36:51 <knaccc> defined as number of outputs that these txs could have sourced their inputs from
20:37:03 <knaccc> that paste is definitely wrong, level 1 should always be multiples of 11
20:37:10 <knaccc> i've messed something up in the last few hours i think
20:37:32 <knaccc> i pasted stuff earlier today that made more sense
20:37:59 <knaccc> some debian pastes
20:38:54 <knaccc> ohhhhhh
20:38:55 <sgp_> okay, is there better wording for that? easily confused with effective ringsizes
20:39:05 <knaccc> ok no my code isn't broken at all
20:39:10 <knaccc> it's because of the observation window
20:39:15 <knaccc> so it's clipped at 7 days
20:39:35 <sarang> What does this mean exactly?
20:39:44 <knaccc> so the level 1 anonymity set size will only include any of the 11 outputs that existed in the 7 days prior to that tx
20:39:55 <sarang> Hmm ok
20:39:56 <moneromooo> That looks like one of the tools in src/blockchain_utilities.
20:40:06 <moneromooo> Which I promptly forgot what they do.
20:40:57 <sarang> c'est la vie
20:41:32 <knaccc> UkoeHB_ this is the entire listing for all txs in that block https://paste.debian.net/plain/1162186
20:43:23 <knaccc> btw the anonymity set sizes listed there are not approximations by multiplying ring counts together or something. it literally actually finds all distinct output ids in the anonymity sets, and so sees intersections and does not count duplicates
20:44:08 <sgp_> so this test takes these IDs and works backwards, not forwards?>
20:44:16 <knaccc> correct, this one is now backwards
20:44:20 <knaccc> in time
20:44:51 <sgp_> okay, so explain how for fe39a21b57814a980aea6d69fe8ab9cad609713b84d9c09f97e4b8cf74580e5b that is would be 9 possible source transactions when it has 11 inputs/ring
20:45:55 <sgp_> *it? idk lol
20:46:08 <knaccc> because an observation window is applied
20:46:20 <knaccc> so i could have said show me the anonymity set size going back forever
20:46:35 <knaccc> and then the level=1 col woudl all be multiples of 11
20:46:44 <knaccc> but i applied a 7 day observation window
20:47:21 <knaccc> btw if i take just that first tx in the list, i can then see the anonymity set size at different window sizes and at higher levels
20:47:26 <sgp_> so basically 9 of those outputs are within 7 days?
20:47:29 <knaccc> ============================================================================================
20:47:31 <knaccc>  Anonymity set sizes for txid: fe39a21b57814a980aea6d69fe8ab9cad609713b84d9c09f97e4b8cf74580e5b
20:47:33 <knaccc> ============================================================================================
20:47:35 <knaccc>  Window (days) |  Level=1 |  Level=2 |  Level=3 |  Level=4 |  Level=5 |  Level=6 |  Level=7
20:47:37 <knaccc> ---------------|----------|----------|----------|----------|----------|----------|----------
20:47:39 <sarang> gah
20:47:39 <knaccc>              1 |        6 |       43 |      700 |    5,439 |   18,833 |   25,354 |   27,873
20:47:41 <knaccc>              3 |        8 |       76 |    1,340 |   15,676 |   74,092 |   91,192 |   93,762
20:47:42 <sarang> pastebin, my friend
20:47:43 <knaccc>              7 |        9 |      100 |    1,942 |   29,205 |  187,841 |  233,330 |  235,936
20:47:45 <knaccc>             14 |        9 |      108 |    2,330 |   39,611 |  335,643 |  460,474 |  463,143
20:47:47 <knaccc>             30 |       10 |      134 |    3,155 |   58,189 |  604,834 |  916,965 |  919,772
20:47:49 <knaccc> ============================================================================================
20:47:51 <sarang> stahp
20:47:51 <knaccc> correct
20:48:03 <knaccc> oh do you not have monospaced font in your irc?
20:48:28 <sarang> Pastebin is just classier for many reasons :)
20:48:31 <iDunk> Not the point.
20:48:38 <sarang> Fewer pings, easier to copy/paste/save
20:48:42 <knaccc> here is pastebin
20:48:44 <knaccc> https://paste.debian.net/plain/1162187
20:48:47 <sarang> :D
20:49:47 <sarang> knaccc: interested in sharing a summary of this at tomorrow's meeting?
20:50:01 <sarang> https://github.com/monero-project/meta/issues/502
20:50:08 <knaccc> i'm not sure what time i'd be around tomorrow, i'll make the meeting if i can
20:50:21 <sgp_> I think at this point a write-up is warranted
20:50:24 <knaccc> yeah
20:50:29 <knaccc> i'll put something together
20:50:49 <sarang> Great
20:50:57 <sgp_> the churns test is the most directly applicable but also only 10 samples is quite small sadly
20:50:58 <sarang> You're welcome to post anything onto the agenda issue if this is handy
20:51:29 <knaccc> the bottom line is that if you have multiple poisioned outputs, you need e.g. 6-7 levels of churn, and that's not something we can really recommend without spamming the blockchain and making wallet scanning times too long
20:51:42 <knaccc> so all of this fancy schmancy analysis is kinda moot
20:52:01 <sarang> There's an interesting social aspect to the "are my outputs flagged" question
20:52:05 <sgp_> would also be awesome to test arbitrary ringsizes :D
20:53:08 <knaccc> yeah
20:53:35 <knaccc> can someone point me to the current selection algo, preferably described in plain english?
20:53:54 <selsta> zero to monero 2?
20:54:05 <knaccc> oh that's up-to-date is it?
20:54:05 <sgp_> I'm also most interested in 0-3 churns, anything more than that is hella niche (anything >1 is already super niche)
20:54:31 <sarang> A version of https://arxiv.org/pdf/1704.04299/, page 13
20:54:40 <sarang> However, that paper does not account for block density
20:55:12 <sarang> Here is a version of what we do: https://github.com/SarangNoether/skunkworks/blob/outputs/outputs/simulate.py
20:55:29 <sarang> Namely, https://github.com/SarangNoether/skunkworks/blob/outputs/outputs/simulate.py#L127
20:55:34 <sarang> (that script tested several methods)
20:56:00 <sarang> IIRC the window we use for estimating "output time" is 6 months
20:57:11 <knaccc> selsta unless i've failed to locate it, i don't think z2m2 has the ring selection described
20:57:46 <sarang> I recommend the python code
20:58:01 <knaccc> sarang so if i copy the python code, that's exactly what monero currently does?
20:59:53 <knaccc> gah numpy.random.geometric
20:59:59 <sarang> With the exception of the overall block timing window, should be
21:00:15 <knaccc> it'll take quite a while to figure out how to get equivalent libraries for java and reimplement this
21:02:44 <Isthmus> Very interesting anlysis
21:02:50 <Isthmus> just catching up
21:02:56 <Isthmus> "the bottom line is that if you have multiple poisoned outputs, you need e.g. 6-7 levels of churn, and that's not something we can really recommend without spamming the blockchain and making wallet scanning times too long"
21:03:11 <selsta> knaccc: it is mentioned but then miller et al paper is linked for more details
21:03:26 <sarang> why java
21:03:29 <sarang> python iz easy
21:03:52 <Isthmus> In this case, what should we recommend for people whose threat model includes multiple poisoned outputs? Just to not use Monero, because the churn necessary for anonymity is considered spam to others?
21:04:04 <knaccc> because you can't memory map a file in python to get ultra fast blockchain lookups
21:04:21 <sethsimmons> Small amounts of churn are fine
21:04:26 <sethsimmons> I believe he was meaning everyone churning all outputs 6-7x would be spam
21:04:33 <knaccc> yeah
21:04:56 <Isthmus> Oh gotcha, yea
21:05:07 <sethsimmons> My idea was to allow "flagging" of subaddresses at creation time that enable auto-churning 1+ times of each received output
21:05:24 <knaccc> we won't want monero to be untraceability-theater for most users unless they do special churn techniques
21:05:32 <Isthmus> ^^
21:05:38 <sethsimmons> So, for instance, I have a subaddress per exchange used, I could flag those (manually or at creation of the subaddress) and the wallet would churn in the background.
21:05:49 <Isthmus> That's a cool idea
21:05:54 <sethsimmons> It has to be something that can be brain-dead for everyone to benefit from it, if this heuristic is a threat to most users
21:06:07 <sethsimmons> Obviously power users can sweep_single easily in CLI already
21:06:40 <sethsimmons> I know I don't need to churn the lunch money my friend sends me, so why waste the TX fees and spam the blockchain with that
21:06:57 <sethsimmons> But I also don't want to manually sweep each "risky" output I receive
21:07:24 <sethsimmons> And obviously dusting of addresses only works for known addresses in Monero, so if I only share one subaddress with each exchange their dust will always be churned
21:08:15 <knaccc> i'm reminded of this https://imgur.com/gB65bZg "Deep Anonymity Accounts"
21:09:02 <sethsimmons> ah interesting!
21:09:25 <sethsimmons> Basically that, but has to be forced as a choice to the user, not manual/hidden
21:10:20 <knaccc> essentially in their wallet, where they already create multiple accounts, they can create a "Deep Anonymity Account" and a "Regular Privacy Account"
21:10:27 <selsta> knaccc: is this basically a wallet feature with no extra crypto?
21:10:28 <knaccc> and use the DAA when they are worried
21:10:32 <knaccc> selsta correct
21:10:34 <sethsimmons> so my ideal flow is: Receive>Create new address>Prompt appears asking if I will be using this address for exchanges and untrusted third parties (wording needs to be clear here)>Yes flags it for autochurn, no treats it like normal.
21:10:37 <midipoet> knaccc: where did that come from?
21:11:02 <knaccc> midipoet i made it in 2017, when i first started talking about EABE issues :)
21:11:02 <selsta> so basically it should also work with subaccounts?
21:11:13 <midipoet> knaccc: cool
21:11:14 <sethsimmons> yes could work with anything
21:11:18 <sethsimmons> It just changes wallet behavior
21:11:31 <knaccc> selsta yes it's just like normal accounts, except the wallet automatically churns when you transfer between accounts
21:11:38 <knaccc> instead of just letting you directly transfer funds
21:12:01 <selsta> do you know if 7x churn is necessary with triptych?
21:12:06 <selsta> or could that be reduced?
21:12:11 <sethsimmons> So: Send from DAA>Wallet "intercepts" and churns > Sends when done churning?
21:12:11 <knaccc> perhaps reduced
21:12:39 <knaccc> the key insight in that DAA thing is that if someone doesn't know your real-world identity, you don't have to churn at all
21:12:52 <knaccc> you can just receive from and spend with people that don't know your real-world identity
21:12:56 <knaccc> no blockchain spam required
21:12:59 <sethsimmons> true, thats a good differentiator
21:13:12 <sethsimmons> Well, some, but only when the threat is real/clear
21:13:13 <knaccc> unless you want to transfer to an account where you transact with an exchange or something
21:13:20 <sethsimmons> Its not spam, per se, but still bloat
21:13:22 <knaccc> at which point the wallet will do the churn
21:13:24 <sethsimmons> But for a good and needed reason
21:13:51 <sethsimmons> So wallet says "Will this address be linked in any way with your identity?" might be a better popup in my subaddress/subaccount idea
21:14:04 <sethsimmons> And if yes, autochurn 1+ times
21:14:10 <sethsimmons> Much better wording there, I like it knaccc
21:14:16 <knaccc> still though, all of this is going to confuse the hell out of people
21:14:45 <sethsimmons> Will need a clear doc to link to from the popup if we do something like that
21:14:50 <knaccc> we're gonna have to explain that if you churn, you can make monero more private, not that it wasn't already private, but now it's more private, not that if you don't do this you won't have privacy
21:14:53 <sethsimmons> But most will just answer yes or no and not care I think
21:15:08 <knaccc> it's too complicated to try and explain
21:15:19 <knaccc> that's why my preferred solution requires no churn
21:15:33 <sethsimmons> the tagging?
21:15:36 <knaccc> right.
21:15:47 <sethsimmons> Yeah, that requires a lot of changes though
21:15:50 <sethsimmons> So is likely a ways off
21:16:02 <knaccc> yeah, it's an almost impossible ask
21:16:04 <sethsimmons> Churning could be done today in theory, as the protocol obviously already supports it
21:16:18 <sethsimmons> I like the tagging long term, but churning is a good interim solution
21:16:18 <knaccc> but then we are going to hit immovable objects
21:16:26 <knaccc> in terms of wallet scanning time.
21:16:39 <sethsimmons> And we need to clearly explain that churning reduces a common attack vector against Monero, but isn't always needed
21:17:03 <sethsimmons> It's not a big deal if a couple of transactions per user get churned every once in a while
21:17:15 <sethsimmons> People aren't receiving from VASPs etc frequently
21:19:47 <knaccc> if we wanted to do a quick fix to partially address these recent tracing concerns, i'd recommend 1 churn automatically done on each incoming output prior
21:20:01 <knaccc> delete the word prior off the end
21:20:29 <sethsimmons> Yeah, but thats a lot of interim, unrecoverable blockchain bloat
21:20:35 <sethsimmons> For who knows how long
21:20:48 <knaccc> correct
21:20:57 <sethsimmons> 2x the storage and compute for the foreseeable future is non-ideal, but if its that big of an issue it could be done I guess
21:21:06 <knaccc> it all depends on how seriously we take the threat
21:21:09 <sethsimmons> But I'd lean more towards selective churning if at all possible
21:21:13 <sethsimmons> <knaccc "it all depends on how seriously "> Absolutely
21:21:47 <knaccc> if we can kick the can down the road, and if this recent angst fades, we can go back to being content with untraceability-theater
21:22:13 <sethsimmons> The other alternative is re-sharing the Breaking Monero on EABE and recommending users with advanced threat models churn 1+ time when receiving funds from a "risky" source
21:22:26 <sethsimmons> <knaccc "if we can kick the can down the "> :P I don't think anyone is content with that
21:22:46 <sethsimmons> But rather the pros are not clearly outweighing the cons until this CT stuff
21:23:02 <sethsimmons> This could be a good fire under us to figure out a path forward for this specific heuristic
21:24:13 <knaccc> the fire will fade, we'll announce that we're aware of certain heuristics and that MRL is working on research to enhance untraceability
21:24:17 <knaccc> and then the pressure will be off
21:25:12 <knaccc> XMRUSD is up 2.62% today, why rock the boat
21:25:28 <sethsimmons> I don't want the pressure to be off :)
21:25:42 <sethsimmons> This was a good push, lets ride it if there is a good solution forward
21:26:15 <sethsimmons> knaccc: any good guides/docs on churning currently? I don't even see a way to do it in the GUI at all
21:26:25 <sethsimmons> And, tbh, I've never done it before
21:29:15 <sethsimmons> nvm, this is MRL channel, we can leave that topic for elsewhere/another day :)
21:29:43 <thrmo> maybe we should have churn capabilities built into the GUI per output.
21:30:07 <Isthmus> Insight has some internal docs about churn: https://docs.google.com/document/d/1BZ3ptviayQg-_5JgwhQyQNDeXFlUnCNisLeJ0LH_6js/edit?usp=sharing
21:31:02 <knaccc> sethsimmons since outputs need to be churned independently, it can be quite hard to do it yourself
21:31:45 <Isthmus> We were thinking about adding churn functionality to the CLI / GUI
21:31:53 <knaccc> so really there needs to be auto-churn queuing on incoming outputs as a wallet feature
21:32:12 <sethsimmons> <Isthmus "Insight has some internal docs a"> Thanks!
21:32:29 <sethsimmons> <knaccc "so really there needs to be auto"> Yeah has to be automatic to work for the masses, and has to be clear why it should be on/off
21:32:41 <knaccc> i've long thought that tx queuing in general would be useful anyway, even if no churn
21:32:55 <knaccc> because then people don't have to wait for transactions to complete before making more transactions with the change
21:33:25 <knaccc> they just initiate the txs and the wallet queues them up and submits them when funds are unlocked
21:33:43 <knaccc> the idea that people need to set a timer to return to their wallet to do a further tx is crazy
21:36:14 <sethsimmons> Its true, I would love that, but that also requires leaving wallet unlocked in some way for long periods
21:36:35 <sethsimmons> Because you can't sign the TX until the parent is confirmed, correct?
21:37:16 <Isthmus> Yea, since ring members are referenced by output index instead of something intrinsic like tx_hash
21:39:11 <knaccc> right, the wallet would need to keep your privspendkey around until the queued stuff is completed
21:39:31 <knaccc> and churn would not be fun with hardware wallets
21:40:04 <sethsimmons> <knaccc "and churn would not be fun with "> I don't think this is a problem, just recommend that people don't send straight from exchange to cold storage
21:40:38 <knaccc> but then their funds are exposed
21:41:07 <knaccc> negates the advantage of having your private key only on your hardware wallet
21:42:00 <sethsimmons> True, then HW wallets are gonna suck in a major way lol
21:42:22 <sethsimmons> Come back to your Lexger and sign every few hours
22:09:32 <sgp_> Isthmus: it's always amusing to see my comments from over a year ago on rando docs haha
23:37:29 <sgp_> knaccc: you still here? I have a question about the churn test. How are the other pairs selected? for example the 10 pairs