Nostr Web Client

True.

I would add that there'some nuance here to discuss about. I don't think Parker is pointimg at this by any means but I see that as a possible issue. That is:

Nostr privkeys and money privkeys are the same in terms of information security, but are widely different in terms of what an attacker is imcentivized to do if he/she steals keys from somebody.

When you get into possession of a bitcoin mnemonic that is not yours and has some fpunds in it (extremely unlikely by chance, but doable by other shady means) you have the incentive of emptying immediately the wallet by moving all UTXOs to on or more keys controlled by you.

If you steal Nostr keys, you don't have incentive to immediately use them for fraudulent purposes. That means that "nsec farming" is doable if considering the incentives structure.

Thus, you never actually know if your keys are truly exclusively yours or not. You can only understand that you were hacked only when the attacker starts signing notes on your behalf.

In fact, this is not different from what happens in classical social media, so no surprises here. But overall I would argue that it's true, incentives are alligned differently somehow.

corndalorian 10mo ago

Then just don’t use social media at all. Don’t use the internet. Do everything with paper. If someone’s threat level is that high then they ought not to be doing anything so risky.

Reply to this note

Please Login to reply.

Discussion

Dan Wedge 10mo ago

if I was nefarious and found a repeatable way to move bitcoin I wouldn't do it as I received the wallets phrases. I would Que up transactions in a batch & exploit all at once one large pull before the exploit could be identified.

tolot 10mo ago

Yes, but you never know how low UTXOs will sit there without moving. If you find free money, you don't generally way for some other to turn up. You grab them and leave.

That's what exploiters do. They even push it a bit further...generally they fat finger the transaction fee, just to be sure to not being outbidden and to be included in the first block.

You're right for the general consideration that, if you're sufficiently sure that your victims are likely to let funds in their wallets long enough, you'll go for the patient path. But I would argue that's pretty uncommon and surely less incentivized than what'd happen with Nostr privkeys.

tolot 10mo ago

That's not a solution. The solution is probably close to the "external signer" thingy. But it's not so wide spread and some nsecs were generated way before external signers were a thing. It's a matter of awareness btw...running away from risk is not a good choice, being aware of it is ultimately the best choice. That was the goal of my riffing...I didn't mean "fuck it lets use paper"