Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Vespco

Pages: [1] 2
Thanks for the in depth look, I would love to hear your additional thoughts on how to improve security/privacy/etc

I disagree about some of your points, and when I get the time I will further elaborate on it.

Member Introductions / Re: Pleased to meet you.
« on: May 03, 2018, 02:23:37 PM »
We need and absolutely want your help! Have you seen our taiga stuff as well?

Ideas & Suggestions / Re: How to install video
« on: March 03, 2018, 08:25:14 PM »
We'll be making it absurdly easy to setup in the future by making it quickly deployable using containerization/docker.
I am also willing to record video/audio on how to do this, would be good for my YouTube channel! :)

We have a lot of work to do in regards to making annularis work effectively with Monero multisig, and making it easy enough for common users to use and buy using Monero.
Now that Monero has multisig, the RPC works with Multisig, and the fact that it is soon to be packaged with Debian (and hopefully TAILS) we are going to be hitting this project much harder, and a lot of functionality and improvements will be seen.
It's taken awhile for me to organize it, but I'm meeting with a team today that'll be developing it and it should be all very good news!

I've been quietly working on the project on as well, and have been putting more thought into it. I'll be changing that from private to public soon.

News / Re: Development update: 3 months
« on: January 15, 2018, 03:49:13 AM »
Yes definitely. I am working on getting it setup on to help get more attention to the project and to have more input.
I need to define how the multisig is going to be implemented. I'm still not sure the best/easiest way to do it. Seems like a nice multisig feature for bitcoin was ever worked out.

News / Re: Development update: 3 months
« on: January 09, 2018, 11:42:46 PM »
Wonderful! Checking it out now.
Going to get more involved. Been crazy busy with life but I am more then happy to help test bugs and everything else I can do.

Also I'm in contact with humancell and they're going to add massive support to this project soon. It is very exciting times!
Thank you for the update and demo. Really appreciate all the effort that has been put forth for this!

Feature Request / Good list of Marketplace features we should have.
« on: December 22, 2017, 06:44:01 PM »
I found this list and think it has provided some rather good suggestions for features of a privacy preserving marketplace. I've copied the feature list that I think apply to developing annularis.

  • You must implement 2-of-3 Multi-Signature.

  • No JavaScript on your market, except for warning users to disable JS if they have it enabled. If the user has enabled JavaScript while visiting your main page, he must be prompted a warning to set the security slider of the Tor browser to high along with a short description of how to do it.

  • Users have to set their public PGP key on their profile before they can make his first order.

  • You must offer all users 2FA with PGP. It has to be enforced for all vendors.

  • The PGP encrypted messages used for 2FA must contain a phrase similar to: 'Only valid for <all valid market addresses>' along with the default random passcode. If 2FA is set, the users should not be able to circumvent it and always be required to enter their password and the decrypted PGP passcode. Furthermore can the encrypted 2FA passcode only be valid for one login.

  • When a vendor wants to change his PGP key, he has to sign it with his old one. You can also display this signature publicly for users so they can check themselves that the vendor signed his new key with his old one.

  • Buyer and seller accounts are different. Buyer accounts cannot become vendor accounts.

  • The order notes, or whatever the message to the vendor is called on your market in which the customer sends his address to the vendor he is buying from, must be PGP encrypted by the user. If it is not, reject the message and tell the user that he has to encrypt his address as well as other sensitive data before sending it and link him to guides on how to properly do it. The checking can easily be done by looking at the beginning of the message and checking if it is the default string of PGP encrypted message (i.e. '-----BEGIN PGP MESSAGE-----').

  • Delete private messages and order details after a certain time period (not longer than 2 months).

  • Use of CSS to prevent reloading pages for small clicks. For example realize some functions like collapsing or expanding a box with CSS instead of reloading the entire page with every click.

  • For country drop-down lists: put the for example 3 most selected ones on top of the list and sort the rest to alphabetically. That way a good chunk of users do not have to scroll down to "United States" for example.

  • make page sizes as small as possible for quick loading.

Member Introductions / Re: Interested in helping out
« on: October 08, 2017, 08:35:09 AM »
"We could have solutions in place so that the software takes a percentage of commissions to donate to charities by default. "
Not really is free and open source code, anyone can change it so the funds are allocated to just seller and marketplace.
I would rather have this just be a tool for people to use, and then they can opt into whatever they like, such as if they want to donate. The goal of this is privacy, security, etc -- forcing a percent to be donated, or even encouraging that potentially jeaprodizes such goals.

What are your motivations for building crypto marketplace software?
My honest answer is I'd like to lower the barrier to entry for people who want to start darknet marketplaces, and for it to act as a nucleating point for various libraries related to cryptocurrency and other privacy-preserving tools. Hopefully, we can create some Monero PHP libraries that get used in other software.

There is maybe a more moderate answer about helping grow the cryptocurrency economy, but for me it's not about that, it's about providing a tool that gives people power.

Is this a political statement to you? Or is this more of a technological statement?
Both, but ultimately the tech interests me because of political views. I am not sure how you mean technologically - as tech isn't interesting without considering it's implications/utility.

How have you stayed motivated for so long?

Idealism and positive reinforcement.
However, it is important to note that I have lost interest in this one fewer times than I have been interested in it:

Bitwasp idea originally came about in 2012, flopped because no one had any real interest in it. Then when silkroad got shut down - everyone had a huge interest in it which revived it - which we made another attempt at it again, got pretty far and then it just flopped again thanks to loss of interest due to the OpenBazaar hype.
Additionally, I had become a bit disillusioned with bitcoin since it was so public and had so many issues. Monero inspired me again, and so I figured: hey, let's revive this yet again because I really do want an open source, free marketplace software available. It seems like this project teeters on people being just enough interested to help, but that it really struggles to get good traction. I have way more experience with fundraising, developing software and networking with reporters, ec than ever before, and we're closer than ever before - so this time it should be a home run. Hopefully then we'll see it get more traction and others actually using it, developing addons/apps for it and so forth.

Is this something that is still in progress? Or am I just replying on a dead forum?
Still very much in progress, we're doing some stuff behind the scenes with Monero's RPC and figuring out how to do multisig -- it's a bit of a hold up because the multisig RPC isn't merged - we're developing with what exists currently in a branch, but

What are your goals for this project? What do you want from it?
A very secure, actively developed free and open source privacy oriented monero marketplace software that anyone can setup and use, and that helps to build various libraries for Monero, and other privacy-preserving tools.

That's both the goal of the project and what I want from it; I like to be involved with such a thing.

How concerned should we be about security around here? While we're not technically doing anything illegal, it's definitely something that's looked down upon. What are you opinions on best practices while browsing this forum?

Depends on who you are: if you're a software developer, it likely is fine to be public: I believe the previous coder, afk11, basically got a pretty good job out of it since his coding/efforts were noticed. 

The flip side to that has I had a very involved death threat come to all of my emails/fb/etc after posting about this project on the SR1 forums the first time.
Law enforcement is probably lazily watching it, or will be able to look at stuff retroactively via google cache, etc

Ultimately, you have to decide for what you are doing with it, who you are, your intentions, etc. I have obviously opted to attach my real name to it.

Feature Request / Re: Let's ditch the 2-2. 2-3 represented instead.
« on: October 08, 2017, 07:49:28 AM »
Both will be available. It is open source and an on going project but 2/2 multisig for monero is further along and easier to implement.

In a 2/3 the marketplace would be the third signer.

So, after serhack had updated the older dilapidated bitwasp software into the Annularius Marketplace software and fixed a bunch of issues, we decided that the best approach was to wait until Monero had an RPC API for multisignature addresses and transactions. 

This is because doing a PHP library for monero multisig would be too complicated and have some interesting security risks if it weren't implemented properly.

Well, thanks to the amazing work of MoneroMoo, the RPC API  for multisig now exists so what we'll need to do now is integrate that and we'll have a MVP for Annularis as a monero multisg marketplace! :D

So, the multisig works as described here:

Multisig for RingCT on Monero

    2 of 2

    User A (coordinator):
    Spendkey b,B
    Viewkey a,A (shared)

    User B:
    Spendkey c,C
    Viewkey a,A (shared)

    Public Address: C+B, A

    Both have their own watch only wallet via C+B, a

    A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)

    A and B watch for incoming outputs

    B creates "half" key images for discovered output D:
    I2_D = (Hs(aR)+c) * Hp(D)

    B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
    and sending the pubkeys with I2_D.

    A also creates "half" key images:
    I1_D = (Hs(aR)+b) * Hp(D)

    Then I_D = I1_D + I2_D

    Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).

    A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
    to his own generated ones where they are needed (secret row L, R).

    At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
    which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).

    B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).

    B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
    to his cache, allowing him to verify spent status as well.

    A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
    Otherwise, trickery like the following becomes possible:
    A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
    B creates a fake key C = zG - B. B sends C back to A.
    The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
    The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).

The seller will join, and create a spendkey (c,C) on their own. They'll give C to the annularis marketplace implementation.
The buyer will join, and create a spendkey (b,B) on their own. They'll give B to the annularis marketplace implementation as well.
The marketplace will combine them to form the multisig address: C+B, A.
The buyer will recieve this multisig address and pay to it.
The seller will then sign this transaction to recieve the funds
The buyer will only sign it if they have recieved the products and are happy with it: otherwise, they'll have to work it out or no one will get any money.

I'm going to talk to serhack, he's probably pretty busy with all that he does for monero and the monero integrations, but hopefully this project will begin moving forward again soon. :)

Member Introductions / Re: Bonjour my fellow Crypto Friends,
« on: July 27, 2017, 07:07:42 PM »
Introducing, Tfbtfb "The future is bright the future is Bitcoin"

After spending months trying to get alternative multivendor marketplace scripts to intergrate with HD Wallets the way god intended, without 3rd party payment proccessors has been a real uphill struggle with 100mph head on winds. In truth i have probably gone sideways rather than forward.

I have some ideas to throw into ring.

 Let's all get out heads together and make Annularis a game changer in the ecommerce market.

That would be great! What sort of skills do you offer?

Member Introductions / Re: Im glad I now registered
« on: July 27, 2017, 07:06:42 PM »
This looks like a spambot... soon we'll be over ran by them  and will need to take some measures to stop them. It's fairly difficult.

General Annularis Discussion / Re: Annularis Mission
« on: July 20, 2017, 07:55:27 AM »
I'm picturing this to gradually improve over time for a long time but we're currently waiting for the multisig feature to implemented in the json API so that we can implement it. So, it's largely dependent on that. Everything is done, but hasn't been properly tested. There's also a bug or two that we need to fix, and probably a bunch of bugs that we need to discover.

This seems like the safest and fastest way to go about it currently, but I'd like in the future to create some libraries so that it's less dependent on running on the wallet software.

However that's really an involved task since we'd  have to implement some version of this:

General Annularis Discussion / Re: Annularis Mission
« on: July 14, 2017, 10:47:34 PM »
If you're working on a project, perhaps we can join forces and all be better off?

What is your project?

General Annularis Discussion / Re: Annularis Mission
« on: July 09, 2017, 08:15:45 PM »
nice, good luck!
Thank you!
Really excited for this project. :)

Coding is probably the best way to help. If you can code or do design, get in touch and we'll discuss everything with you.

Another way is to interview us. If you write for magazines, journals, podcasts. vlogs, etc. I am very happy to be on audio/video interviews or answer any text questions you might have.

You can donate to us here:

Monero Public Address:

Monero View Key:


If you have other coins you can donate via -- We will receive the payment in the form of Monero.

We will generally convert the Bitcoin to monero or use bitcoin first for costs such as hosting, development, and so on. I think the value of monero is likely to increase more than bitcoins so it is preferable for us to hold.

I will also setup the ability to donate via credit card using Stripe. If you want to do that now, contact me.

We're not really asking for any financial donations yet, just posting this so I can link to it on the forum. 

There is a good chance we're going to do a Monero FFS -- so you may want to donate that way. I believe it has mile marker payouts and so it will have more accountability.  Keep an eye on this post and we will update this with the FFS link when we move forward with that.

Pages: [1] 2