Could bad actors spin up their own relay to host illegal content in order to hurt nostr?
#asknostr
Discussion
What is illegal content, in the context of #nostr ?
Child porn is what I'm referring to
Yes, CSAM posters already post to the main nostr relays
They are allowed to write on the Internet. Relays aren't hosting the images.
They *can host the images, but most public relays are not going to accept them. And if they do they will be quickly banned and removed.
The relays are hosting the media directly, rather than only the events containing the links?
Or do you mean that someone might store the media on the same machine as the relay?
NIP-95. Relays can store media directly although it's deprecated
LOL, that would have killed Nostr off.
Geez. Imagine if people were storing their kiddie porn on our cell phone relays.
Data URLs are still a possibility for store binary, unfortunately, and some clients render them.
Eww. nostr:npub1wqfzz2p880wq0tumuae9lfwyhs8uz35xd0kr34zrvrwyh3kvrzuskcqsyn we need to watch that.
nostr:npub10npj3gydmv40m70ehemmal6vsdyfl7tewgvz043g54p0x23y0s8qzztl5h can we filter such events out?
We could probably pass everything through a filter layer client-side before downloading.
Could NKBIP 01 or 02 offer an attack vector?
Possibly, especially if indices reference external URLs.
Okay. We need to preclude this.
Maybe we can run external URLs (as opposed to event IDs) through a content scanner that automatically blocks suspect images or sites.
Seems almost Aedile-worthy.
nostr:npub1qdjn8j4gwgmkj3k5un775nq6q3q7mguv5tvajstmkdsqdja2havq03fqm7 what do you think? Where/how should we solve for this?
Client code can always be bypassed. If were talking hiding content from dirty relays for the majority of users yeah I this would be pretty useful! In the case of aedile, we maybe could add a toolkit/utility that can filter this content if it's fetched from a dirty relay. I don't recommend opinionated libraries so I think it should be left up to the application builder to decide how they want to handle this because csam stuff casts a wide net that is constantly expanding.
I've been thinking of the architecture more and how we might be able to implement a "pluggable" event filtering system which I think would be pretty neat, kind of similar to how Grain's kind handlers are implemented.
Say more about pluggable events 👀
An event data validator?
Could it be both for clients and for relays?
Well, I suppose those would be two different functions receiving the data, but couldn't we create an event validator system that could be customized? Like symfony has?
I think one of the other NDKs did something like that, but on a simpler/smaller scope.
I agree that it should be voluntary, but it seems like a core-library-level function that we should be offering in our NDK package, even if it's a separate repo/tool.
It's data validation will be beyond the abilities of many people using our NDK to build. You see how many apps just accept any garbage.
Totally cool with that yeah, just having tools available for developers to choose to filter/moderate content within their clients to offer some protection from rogue relays. I kind of like that too I suppose. It gives client devs the ability to pass that power to the user if they choose.
Community guidelines for writing to and broadcasting to our relays. Being a smaller focused community, moderation should be managable. I think that's a fair ask for anyone using our products. Also fair to ask users to help curate and identify content that is irrelevant or doesn't align with our standards.
Yes, we should look at reports.
I don't remember it was so long ago. There was a big hub bub about it all. Which is why 96 is http auth for media storage. Maybe it was never merged I don't quite remember.
Found it! https://github.com/nostr-protocol/nips/commit/a090de2b90f9fd83e49fa39ff4c7ef52750e904b
Next commit moved it to a new branch
OMG the suggestion to save the pics to the hard disk. All the facepalms.
I think the trickier question to answer, is whether concerted campaign could hurt a commercial relay?
Reading this thread made me wonder if paid relays will ever work. My reasoning goes like this.
Everything that's been said applies to free relays, but what happens if a commercial relay is targeted? A lot of paying customers won;t want to pay for a relay with that reputation, so there is a good incentive to target paid relays this way.
But they have to pay to attack.
And you think nation states won't do that?
It's the same game theory as Bitcoin. Attacking it means paying the people that run the things... It's a futile effort. There are much easier things nation states can do to target specific relays. Again, it doesn't effect nostr if one relay goes down what's.
As you said that I was wondering whether the #GFC admins have figured out how to block #nostr #relays by protocol behavior as they've done with #signal.
From what I've read it depends how simple the protocol is. #xmpp is hard to block even for China because it's so simple, but most others are a done deal already.
Wouldn’t that be analogous to operating a website? Nostr is to internet as relay is to website.
Possibly, but other than to scare new people away, it’s not like they can take nostr down
Yes.
Indeed.
Illegal in terms of geographical nation states but to have an anti censorship platform we have to accept the good with the bad.
What are the rules we choose to live by?
Did the FBI ever brainwash otherwise harmless autistic internet incels into becoming domestic terrorists, funded and armed them?
I don't see how it would hurt nostr
Yeah. Replace the word "relay" with "webserver" and then think about it again.
It’ll give nostr a really bad reputation, which is inevitable tbh. An open platform hosting all content will bring illegal content.
Future news headline: “Alt-right social media platform refuses to delete child porn”
Again. This is bound to happen and there’s nothing we can do about it. They can’t hurt nostr, only its reputation.
What is riga?
Of course, have you been on some of the other Twitter spinoffs that happened over the past few years? Some of them are bad man. I assume most of the posters are bots, but holy crap it's bad. Then again so was twitter every time I logged in. Last time was basically all porn, it was wild.
Unfortunately there is nothing we can do to stop people from connecting to someone's website (relay) with their client. Client's would have to implement dns blocking or something and that's really crossing the line into censorship. Some clients already do content filtering client-side but again that censorship line is visible depending on how you look at it.
thats why its a great thing to be a protocol and not platform its much harder to kill plus there are huge issues with meta/instagram being guilty of this already but when you are part of the censorship industrial complex you get a free pass