What if the hacker is running a bot that posts the exact same message but with a different public key— an account controlled by the hacker and used for extended lols?
Discussion
My new one will be nip5 verified using my domain, the attacker one will be not
Good point. Although if you ask me the NIP-05 of most well-known people here I have no idea. I'd need to check. But maybe the hacker could swap out the NIP-05 of the currently hacked npub to match the NIP-05 of the fake new npub, so people checking there would be fooled? (I know it'd come out in the wash eventually, just trying to stress test the thought experiment here.)
What do you mean by "But maybe the hacker could swap out the NIP-05 of the currently hacked npub to match the NIP-05 of the fake new npub"
The nip5 can't be swapped, for example my nip5 is @4rs.nl the attacker can't acquire it unless they have access to my DNS.
I mean the hacker swaps out the NIP-05 in the profile data of the hacked account. It was @4rs.nl, but then the hacker swapped in @4rz.nl, a domain the hacker owns. (They send that overwrite to the relays.) Then people who didn't know your NIP-05 have a look in the hacked account, see it's @4rz.nl, and that that matches the NIP-05 of the fake new account created by the hacker.
You know what, just use an offline signer. Or hardware signer, I saw #nostrudel supports it.
Yeah I'm all for hardware signers. Appreciate the banter, just trying to run the thought experiment through to think how to best onboard new users. There was an LNBits signer back some time ago, but you had to flash it and all—anything plug and play by now?
> anything plug and play by now?
I don't know, I didn't search for it, I'm using offline Amber, blocked it from using the internet using #ProtonVPN