Avatar
HoloKat 2y ago

I want to publicly apologize to Will for temporarily impersonating him to start the conversation. It was not the brightest move. You can tell I’m not well versed in ethical “hacking”. I can understand why that may be upsetting.

Sorry Will. I hope you find it in your heart to forgive.

At the same time I’m concerned with this issue. It’s clear to me that NIP5 is not effective at stopping this type of issues. Anyone can get a NIP5 and nobody will know what your real NIP5 is supposed to be.

While I have some reputational risk, a scammer has zero to lose by paying a little and replying within a hot thread. I could see cases where someone may be able to rip people off fairly easily without much effort.

Right now it’s not much of an issue but down the road it could become one. Hopefully smarter people than myself are already thinking about these things and kicking around viable ideas.

I’ll accept any fallout. I’m not a perfect person.

Reply to this note

Please Login to reply.

Discussion

Avatar
rejon 2y ago

amazing

Avatar
boston wine 2y ago

🫂🫂🫂

Avatar
koby 2y ago

😂🫂

Avatar
Leo Wandersleb 2y ago

Any links to what happened or should I piece it together from your timeline?

Avatar
HoloKat 2y ago

Someone was impersonating a few people for fun (I think) - it seemed innocent. I could not tell who the real person was easily. It just seemed like a recipe for disaster.

I swapped my name user and image to Will’s and said “what are we going to do about this impersonation issue?” I also commented on a post with an emoji. I’m hindsight I should have not done these things 🤦‍♂️

I think that upset Will, which was not my intention. 😿

Avatar
pam 2y ago

It’s ok. Blame it on the cat’s owner 💜 But you made a good point. How would you solve this identity scammers problem?

On Iris, those you follow have blue tick. 2nd tier but >10 Ppl common orange tick, and <10 white (or black). Iris web of trust is my quick check if I don’t know who’s who .

But like 🍆 spams, and hell threads it won’t work if people you follow engage with the spams (ie comment) as it becomes your web of trust network. Not perfect but I’ve not had major spam problems and it’s been a go to quick-check.

Another way is to see if this person has mutual follows but may not help if newbie knows no one 🤷‍♀️.

Avatar
jack 2y ago

🫂

Avatar
Leo Wandersleb 2y ago

Ironically Snort shows your reply in a way I can't tell if it's an impersonator or not. Had to click on the avatar to confirm it's an account I'm following but I have again not double-checked: You might still be somebody else I'm following, pretending to be you.

Avatar
Leo Wandersleb 2y ago

Ok, seriously ...

https://void.cat/d/7wr9RJcyHJ1nAo4E4DFiMM.webp

could be anybody but

https://void.cat/d/9tHKpNULjMBj9z1fYWq7hV.webp

... is not really better. What happened with the nip-05?

41
nobody 2y ago

💜🫂 I love how mindful you are lately, about many things, first the profile picture, and then removing the bitcoin description from the profile, to make this protocol a more diverse and welcoming one. And surely we know the experiment is coming from a good place 💜🫂 thank you for being here !

Avatar
face 2y ago

tl;dr 🫂

Avatar
Anonymous 2y ago

Go on, apologize

72
nobody 2y ago

So long as no decisions were affected, and no funds were exchanged under false pretenses, and in absence of a network owner to notify, I believe this falls under ethical hacking.

Wasn't much to hack, but you demonstrated a security weakness and have revealed it to be addressed, along with bringing attention to it from users so they can mitigate the issue.

Personal interactions aside, I think this is clean ethically. I may be wrong, but I see no foul.

Avatar
47 2y ago

🫂

Avatar
Vanessa 2y ago

💜 this has prompted a very lengthy discourse between me and and #[2]​. Lol. I appreciate all the effort you’re making in gathering user feedback!

Avatar
boston wine 2y ago

This is why I love nostr 🫂

Avatar
boston wine 2y ago

Would a client-side rule/UI feature help here?

- allow only one npub per username

- show if a user is active on Damus

It wouldn’t solve the NIP-05 or pfp imitators, but the handle is visible on a note and if it’s the handle I *know* is yours, then between two Damus users there is verifiability without reviewing a profiler’s history.

Not sure whether the above is possible, or what drawbacks it might bring…

Avatar
HoloKat 2y ago

You could lock user name changes once selected, but that would not stop you from changing your username on another client. That’s the benefit of centralized identities is that you can do a lot to limit “bad” behavior.

Anything client side can just be voided by using another client :(

Avatar
🐢 2y ago

I see changes already re- displaying the entire nip05 rather than just a domain…

Maybe a flag can appear when someone changes their profile info like name/profile pic?

Avatar
HoloKat 2y ago

That wouldn’t stop someone from changing it on another client though. Damus (or any other client) would have to flag every new profile and any profile that just made a change to username.

I suppose you could try to coordinate this? 🤔

Avatar
🐢 2y ago

Maybe a hash of a profile would need to be logged and if it changes would flag it? ¯\_(ツ)_/¯ I’m not the smartest

Avatar
Matthew 2y ago

🫂

Avatar
Pinecones 2y ago

Living up to your name and causing Karnage? 😂

Avatar
HoloKat 2y ago

I guess

Avatar
ladidai 🇳🇬🗽 2y ago

How did I miss this

Avatar
apa 2y ago

🫂

Avatar
ryzizub 2y ago

🫂

Avatar
jb55 2y ago

All good man, I was just pointing out the main way i would deal with this: unfollow. Followed you back sir!

Avatar
Roberto 2y ago

🤝

Avatar
Heri Sim 2y ago

Identity theft on #nostr is about to be a real thing

Avatar
fcb 2y ago

#[1] Do you have a recommendation for how this can be mitigated? If so, I think it would make sense to do a PR against the NIP with this recommendation, so other protocol devs know about this. (Pretty standard ethical hacker steps here....)

Good find!