Nostr Web Client

Did I tell you I love penguins?

Amicus 10mo ago

Do you?

Serious thought experiment though. What's the ideal damage-control strategy?

Running a spam bot, the content will be "MY PRIVATE KEY GOT STOLEN AND THIS IS MY NEW PUBLIC KEY <...>"

What if the hacker is running a bot that posts the exact same message but with a different public key— an account controlled by the hacker and used for extended lols?

My new one will be nip5 verified using my domain, the attacker one will be not

Good point. Although if you ask me the NIP-05 of most well-known people here I have no idea. I'd need to check. But maybe the hacker could swap out the NIP-05 of the currently hacked npub to match the NIP-05 of the fake new npub, so people checking there would be fooled? (I know it'd come out in the wash eventually, just trying to stress test the thought experiment here.)

What do you mean by "But maybe the hacker could swap out the NIP-05 of the currently hacked npub to match the NIP-05 of the fake new npub"

The nip5 can't be swapped, for example my nip5 is @4rs.nl the attacker can't acquire it unless they have access to my DNS.

I mean the hacker swaps out the NIP-05 in the profile data of the hacked account. It was @4rs.nl, but then the hacker swapped in @4rz.nl, a domain the hacker owns. (They send that overwrite to the relays.) Then people who didn't know your NIP-05 have a look in the hacked account, see it's @4rz.nl, and that that matches the NIP-05 of the fake new account created by the hacker.

You know what, just use an offline signer. Or hardware signer, I saw #nostrudel supports it.

Yeah I'm all for hardware signers. Appreciate the banter, just trying to run the thought experiment through to think how to best onboard new users. There was an LNBits signer back some time ago, but you had to flash it and all—anything plug and play by now?

> anything plug and play by now?

I don't know, I didn't search for it, I'm using offline Amber, blocked it from using the internet using #ProtonVPN

run your spam bot from your own leaked nsec, posting "THIS NSEC IS LEACKED"

Yeah but the hacker can run a bot too.

- A bot that instantly sends a delete request for every message posted by the spam bot

- A bot that follows up every spam bot message with forged clarifications (follow me on my new npub at...)

-A competing spam bot that responds to your spam bot's response and says "This is the real account to follow me on, check to see it matches my NIP-05" (But that hacker has already swapped out the NIP-05 in the hacked account to match the fake new one the hacker created).

then your bot should delete the deletion events and tell people not to trust anything posted by this npub

I suppose. Though what about for someone without enough of a programming background to engage in bot wars? Normal users with no programming background at all and no savvy friends I suppose would be complete victims—all attempts to alert others would be thwarted or hijacked by the hacker. (They could only communicate the issue off Nostr, but who would know of their off Nostr presence?)

in real life this isn't a problem. plenty of people on nostr have migrated from compromised profiles

Ah yeah, I've been looking for those cases. Have you got an example of a compromised npub that's been left behind? Or a new npub someone moved to afterwards (so I can go back and see their first hello there explaining the situation and the move)?

I leaked my own nsec. so did gandalf

Thanks!

many such cases

fightlessbirds 10mo ago

Nuke nsec with spam bot and start a fresh nym. RIP old WoT.

Thanks. But how do you nuke your nsec with a spam bot exactly? Assuming the hacker has their own spam bot and is willing for it to engage in some kind of Benny Hill spam bot war with your spam bot.

fightlessbirds 10mo ago

In either case the nsec can be assumed to be compromised, so the desired result is achieved.