The only way to access your direct messages (DMs) and IP addresses on centralized social media platforms is through a court order presented to the company's lawyers. However, on #nostr your IP address is exposed to everyone, and there's a risk that clients could have backdoors to access your private keys and read leaked metadata from your DMs.
Discussion
Use an open source client, can verify there's no back door
Code auditing service 🤔
Nobody is auditing the code. We find out when a dev stumbles upon a bug through sheer luck.
I’m wondering how many people are going through the code? Also Mullvad is an open source VPN but they require access to your private key for generating a WireGuard config, there's no option to generate it solely with the public key. Consequently, they have the capability to monitor your traffic in plaintext in every scenario. But we are being shared Mullvad all over across under the claim “open source”
Mullvad does not need your private key to generate a wireguard config. They do not need your private key for anything.
Who’s to say that the “live” version you are using is the same as the codebase you are looking at?
Not all software is checksumed. And even if it were… how wd you verify App Store installs?
Web clients are easier to verify … but only by “naked eye” inspection of the ENTIRE codebase downloaded to your browser.
And if the client has a back end API at all … any server (including any relay) can be set up with backdoors for access to database or raw traffic. No telling what’s running in a black box server. Ever.
It isn't hard to look in source code for connections made by the client (should be none outside of the chosen relays). But it is not practical to personally audit the source of every app you use
Obtainium removes some intermediaries like play store as you get a build of what is on GitHub.
F-droid does its own builds and has stricter policies and does some auditing. Aurora store does some privacy auditing of binaries. You have to trust them though
No easy answers
never use DMs for sensitive info
If I visit El Salvador I can be placed into the jail by Bukele because I have been chatting with nostr:npub1wp4wzdvn25ckqxd6v6y46axpdx25hywu2mduhr5r9a5vzq5g7keq332ynk on nostr via DMs (where everyone can see the metadata) who have been placed into the jail and killed by Bukele regime !
El Salvador is not the "freedom" paradise that many Bitcoiners believe it to be.
It’s shithole 3rd world country under the dictatorship control that buys influencers to shill the so called “paradise”
Well, obviously? And there's obviously corruption around anywhere there's a state involved..
Dictator, Democracy, whatever.
This is why I say people who think "moving to a better jurisdiction" is a solution, when it is not. If bitcoin does not work in any jurisdiction no matter how totalitarian, then it does not work at all. People have to stop obeying the decrees of the jurisdiction they are in, not moving to new places.
The story of what happened to muyshondt has not gotten nearly enough attention by bitcoiners.
He was killed ! And fuck all of the Bitcoiners who haven’t questioned it and are sold out to Bukele ! Fuck hard them ! I have no respect to these people !
Not only was he killed but he was tortured beforehand and then they lied about him being dead for two days. Bukele is wolf in sheep’s clothing and max keiser and Stacey Herbert are complicit. Fuck them.
Why was he killed? I'm deeply saddened by a 2012 Bitcoiner's mysterious death.
He started speaking out about corruption in the bukele regime, was arrested and then died of a “stroke” in jail. When his family got his body they said there were holes and bruises all over his body, including a hole in his head that looked like a lobotomy was performed.
This is insane.
Does it help if we have a VPN?
Nah! That’s what devs want you make to think that VPN is the way! You don’t know who is behind VPN and if it spies on you
So then we’re all doomed?
Spin up your own ! But yeah if you use a 3rd party VPN most likely you are doomed
The problem is not the implementation of Nostr, it is the IP protocol itself. It could have been designed without source address, but alas, we are stuck with it now.
You can spin up your own VPN, and then all your traffic will come from your VPN's VPS's unique IP, it won't be hidden in a crowd, like it would be with a commercial VPN. Tradeoffs, but that unique IP will get tied to you as soon as you sign into something, and then that IP is unmasked.
For nostr you can spin up your own relay, and have it download all your follows' notes. You can have that relay broadcast your notes to other relays, but those relays will see the IP you are broadcasting notes from, so if it is running at home, again your IP is leaked so you would want to run it from from a VPS or behind a VPN. Also I don't know what relays can be configured like I mentioned, out of the box.
Damn it 🤔
If you don't use a VPN, your IP will pinpoint you in your house, or your exact device if mobile. Yes there is some trust involved in using a VPN, and most VPNs I do not trust, so choose carefully.
VPNs are the honey pots. It’s just whom you let to spy on you
The only way you will get what you are looking for is to use Tor full-time. Good luck with that though because the lagginess is unbearable.
Obscura solves the VPN trust problem, if he ever actually opens it up for customers. But it is a two-hop solution, which might be more laggy
What do you think about Amethyst with Tor?
for DMs i would use simplex chat
Hoy me hablaron de simpleX , lo voy a tener en cuenta 👏
Obviously! But you can’t stop people to not DMing you on here or just simply encourage them to move to the other app!
Is it truly that easy to look up someone's IP address through nostr? 👀
Nostr events themselves DO NOT include IP addresses. This info is only available during transfer of events from client to relay.
Every client and rely has access to your IP address during event transfer. It’s up to them to purge or store (or sell?) this data as they see fit.
It's not true that your IP is visible to everyone.
Yes Nostr Clients can have backdoors just like Bitcoin nodes and wallets they can get your private keys and access your coins. 🤡
Did I really read that? Are you even on Bitcoin? Do you know what open-source means? Like really?
And Btw your Ip is NOT exposed to everyone another lie.
Unfollowed Btw.
By the way you are dumb !
Post my IP or my Bitcoin private key or GFY
Every client and rely has access to your IP address during event transfer. They decide to store it or not.
You probably haven’t been here in earlier days when Enigma nostr related messenger had a backdoor and leaked the private keys of a lot of users ! Until one of the devs figured it out and called them publicly to fix the issue where they refused. You dumb fuck!
Only relays get IPs Clients don't store anything and you don't use closed source just like you don't use closed source wallets. Amethyst btw have a Tor setting built in the app if you don't know.