warning banner about new surveillance + opsec page (#35)

* warning banner about new surveillance + opsec page * finishing opsec page
3 days ago · e98f928ce3
parent 5d363417f8
commit e98f928ce3
6 changed files with 167 additions and 1 deletions
--- a/xmrnodes/routes/meta.py
+++ b/xmrnodes/routes/meta.py
@ -104,6 +104,11 @@ def about():
    return render_template("about.html")


+@bp.route("/opsec")
+def opsec():
+    return render_template("opsec.html")
+
+
@bp.route("/add", methods=["GET", "POST"])
 def add():
    if request.method == "POST":
--- a/xmrnodes/static/images/coin_sweep.png
+++ b/xmrnodes/static/images/coin_sweep.png
--- a/xmrnodes/static/images/coin_sweep_outputs.png
+++ b/xmrnodes/static/images/coin_sweep_outputs.png
--- a/xmrnodes/static/images/tainted_utxos.png
+++ b/xmrnodes/static/images/tainted_utxos.png
--- a/xmrnodes/templates/base.html
+++ b/xmrnodes/templates/base.html
@ -27,11 +27,47 @@

 <body>

-  <div id="donateBanner" style="text-align: center; background-color: rgba(255, 183, 195, .75);">
+  <div id="warningBanner" class="banner">
+    <h1>
+      WARNING
+    </h1>
+    <p>
+      There has been an influx of malicious nodes hosted by chain analysis and government agencies which spy on Monero users.
+      Some of them may be in this list - it's impossible to know.
+      To best protect yourself from surveillance please use Tor or run your own node.
+      <br /><br />
+      To learn more about the surveillance issue, watch this video
+      <a href="https://www.youtube.com/watch?v=WkphgF6Hn4w" target="_blank">How Monero Users Get Traced</a>
+      <br />
+      To learn more on how to mitigate the surveillance, read this page: <a href="/opsec">Opsec</a>
+    </p>
+  </div>
+
+  <div id="donateBanner" class="banner">
    <h1 style="font-size: 12px; padding: 4px; margin: 0;">Please consider donating to fund hosting bills, development, and maintenance time:</h1>
    <p style="font-size: 14px; padding: 0 0 4px 0; margin: 0; user-select: all; word-wrap: anywhere;">{{ config.DONATE_ADDRESS }}</p>
  </div>

+  <style>
+    .banner {
+      text-align: center;
+    }
+    #donateBanner {
+      background-color: rgba(0, 183, 195, .35);
+      padding: .35em;
+    }
+    #warningBanner {
+      background-color: rgba(255, 0, 0, .7);
+      padding: .5em 2em .5em 2em;
+      margin: 0 auto;
+    }
+    #warningBanner p {
+      width: 60%;
+      margin: 0 auto;
+      padding-bottom: 18px;
+    }
+  </style>
+
 {% with messages = get_flashed_messages() %}
  {% if messages %}
    <ul class="flashes pure-u-1 center">
--- a/xmrnodes/templates/opsec.html
+++ b/xmrnodes/templates/opsec.html
@ -0,0 +1,125 @@
+<!DOCTYPE html>
+ <html lang="en">
+ <head>
+     <meta charset="UTF-8">
+     <meta http-equiv="X-UA-Compatible" content="IE=edge">
+     <meta name="viewport" content="width=device-width, initial-scale=1">
+     <meta name="HandheldFriendly" content="True">
+     <meta name="MobileOptimized" content="320">
+     <link rel="shortcut icon" href="/static/favicon.ico" type="image/x-icon" />
+     <meta property="fb:app_id" content="0" />
+     <meta property="og:image" content="https://www.getmonero.org/press-kit/symbols/monero-symbol-on-white-480.png" />
+     <meta property="og:description" content="xmrnodes" />
+     <meta property="og:url" content="https://monero.fail" />
+     <meta property="og:title" content="XMR Nodes" />
+     <meta property="og:type" content="website" />
+     <meta name="viewport" content="width=device-width, initial-scale=1"/>
+     <meta name="theme-color" content="#ffffff">
+     <meta name="apple-mobile-web-app-title" content="XMR Nodes">
+     <meta name="application-name" content="XMR Nodes">
+     <meta name="msapplication-TileColor" content="#da532c">
+     <meta name="keywords" content="wownero, monero, xmr, bitmonero, cryptocurrency">
+     <link href="/static/css/normalize.css" rel="stylesheet">
+     <link href="/static/css/pure.css" rel="stylesheet">
+     <link href="/static/css/style.css" rel="stylesheet">
+     <title>XMR Nodes</title>
+ </head>
+ <body>
+
+    <div class="container">
+        <a href="/">go back</a>
+        <h1>OpSec for Monero Users</h1>
+
+        <p>
+            Chain analysis firms and law enforcement entities are observing the blockchain with spy nodes which log IP addresses. Safeguards such as Dandelion++ intended to mitigate this are not fool-proof. Swap services and exchanges comply with these agencies and provide additional metadata such as IP addresses, transaction hashes, and transaction amounts. Exchanges enforce KYC anyways, you're already identified there.
+        </p>
+
+        <p>
+            Additionally, these entities are "poisoning" wallets by sending tainted UTXOs - transactions which can allow them to monitor activity with a high degree of confidence if the user unknowingly spends them. Look at following image:
+        </p>
+
+        <img src="/static/images/tainted_utxos.png">
+
+        <p>
+            This is the donation wallet address I have hosted on the front page of this site.
+            It has received several tiny transactions which are very likely tainted UTXOs intended to monitor my wallet activity.
+            If I were to spend Monero and it ends up in a wallet controlled by a compliant entity then the additional metadata would confirm that the transaction came from my wallet.
+            Other metadata could be combined to de-anonymize my identity.
+            My activity can more or less be "traced" if I'm not careful to cover my metadata tracks.
+        </p>
+
+        <p>
+            Read more about the discussions here: <a href="https://github.com/monero-project/meta/issues/1124" target="_blank">MRL Notes</a>
+        </p>
+
+        <h2>Recommendations</h2>
+        <p>
+            <a href="https://github.com/monero-project/monero/blob/master/docs/ANONYMITY_NETWORKS.md#privacy-limitations" target="_blank">Read this.</a>
+            <a href="https://www.youtube.com/watch?v=WkphgF6Hn4w" target="_blank">Watch this.</a>
+        </p>
+        <p>
+            Here are the best things you can do to mitigate surveillance and protect your financial privacy:
+        </p>
+
+        <ol>
+            <li>
+                Run Tor and I2P proxies alongside your own monero node with <code>--tx-proxy</code> enabled: <a href="https://github.com/monero-project/monero/blob/master/docs/ANONYMITY_NETWORKS.md" target="_blank">instructions</a>. Always use your own node for any wallet spending.
+                <strong>Doing this ensures your transactions are always sent over anonymous networks and thus your IP won't be captured by listeners.</strong>
+            </li>
+            <li>
+                Be vigilant and check for the existence of unexpected transactions (typically very small) as potentially tainted outputs. <strong>If you end up with tainted outputs you have to go through a process to "weaken" them to reduce tracing probability and confidence).</strong>
+            </li>
+            <li>
+                Use a wallet with "coin control" which allows you to specify UTXOs you want to include/exclude. Exclude tainted coins in any future spends / include only coins you know exactly where they came from. I recommend <a href="https://featherwallet.org/" target="_blank">Feather Wallet</a>.
+            </li>
+            <li>
+                Consolidate the tainted outputs using coin control (send all of them to yourself in one transaction like the images below). Then once you have them in one output you send that to yourself a few times. The more times you do this the more it obfuscates the true sender and reduces tracing confidence.
+                <br />
+                <br />
+                <img src="/static/images/coin_sweep_outputs.png" width="400">
+                <img src="/static/images/coin_sweep.png" width="400">
+            </li>
+            <li>
+                Send tainted outputs to a donation address to some community thing such as <a href="https://ccs.getmonero.org/" target="_blank">CCS</a>
+            </li>
+        </ol>
+
+        <h2>Running a Node</h2>
+
+        <p>
+            I run my node with the following command-line arguments (requires <a href="https://raw.githubusercontent.com/Boog900/monero-ban-list/main/ban_list.txt" target="_blank">this ban list at ~/ban_list.txt</a> and running Tor and I2P proxies).
+        </p>
+
+        <code>
+            monerod \<br />
+                --tx-proxy tor,127.0.0.1:9050,disable_noise \ <br />
+                --tx-proxy i2p,127.0.0.1:4444,disable_noise \ <br />
+                --enable-dns-blocklist \ <br />
+                --ban-list ~/ban_list.txt
+        </code>
+
+        <p>
+            Alternatively, I offer a full node Docker Compose option for those comfortable with running containers. It includes the proxy configurations as well as other helpful monitoring/observability features. <a href="https://github.com/lalanza808/docker-monero-node" target="_blank">docker-monero-node on Github</a>.
+        </p>
+
+        <a href="/">go back</a>
+    </div>
+
+    <style>
+        .container {
+            width: 80%;
+            margin: 0 auto;
+            padding-bottom: 4em;
+        }
+        li {
+            margin-top: 12px;
+        }
+        code {
+            background-color: rgba(228, 228, 228, 0.5);
+        }
+        h2 {
+            padding-top: 1em;
+        }
+    </style>
+
+</body>