Nostr is literally Internet 2.0. All of the data that is not encrypted or limited to a gatekept relay is public.
Anything you put on here can be analyzed by anyone, anywhere. They don't even have to scrape the data, just query the relays directly.
Nostr is designed to ensure that you can write and anyone can read. That's the whole point of it. Hand-wringing and fretting about that is silly.
If you want something to likely remain private then:
- encrypt it well
- use private relays with barriers to reading
- use SimpleX
better still, don't expect it to not be seen by someone after you carefully type it into your computer and press sned
Don't even have to press send, since they're storing the drafts. 😂
well, i've inspected the events that spring from this and they do indeed seem to be encrypted with at least NIP-04 grade encryption (ie, one time second ECDH key)
That spring from what?
the "application specific data" events are always gobbledygook base64 encrypted text
i haven't inspected them closer to ensure they actually consist of a pubkey, nonce prefix and encrypted blob that can be unencrypted by the combination of one's private key and that nonce
there is zero ... i mean zero... understanding of cryptography, as far as i can see, in 95%+ of the nostr dev community
when i joke about making NIP-42 work in nostrudel it's not all a joke... i know the signature checking works, i know that the encryption and decryption works, i am making assumptions based on the fact that i don't know javascript well enough to actually audit how the code running, and yes i don't trust it at all, i hate javascript and thus distrust everything it does
I know some encryption theory and math from my classes. Different sorts of hashes and encryption standards, etc. But not very advanced stuff. Simple scripts.
I know more about database securitization stuff like archiving, masking, anonymization, shuffling, etc.
i wish more of the nostr devs had this level, or the high level view that makes it clear that we have a big problem with relay development... but hey... it takes someone coming in from outside, after years of working with encryption and elliptic curves to see what is going on here
idk what to do about these things but that's why everyone writes me off as being over the top about it all
and yet still where is our nip-42????
stop me if you remember me talking about NIP-42 before
please remind me also how many clients actually support it? anyone other than nostr:npub180cvv07tjdrrgpa0j7j7tmnyl2yr6yr7l8j4s3evf6u64th6gkwsyjh6w6 and nostr:npub1jlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3qdjynqn ???
Theoretically, Amethyst. And maybe Gossip?
Freerse has plans to implement. Same with Nostrudel.
it's just signing a special type of event and a different envelope, it's really not hard, the spec has existed, and fiatjaf's implementation has been out there for maybe 6 months now, it's just a matter of priorities... nostr:npub18kzz4lkdtc5n729kvfunxuz287uvu9f64ywhjz43ra482t2y5sks0mx5sz sorta gets it but doesn't get it that relays need to all start implementing the capability... idk if he's open sourced the strfry sprocket for it but the lack of reference implementations on the relay side is a big problem too
khatru can already do it tho...
One does not simply "implement NIP-42". Clients must decide to auth or not auth depending on the context.
Clients should not just authenticate with any relay that requests auth from them for reading public notes, for example.
They should authenticate in order to read DMs, for example, or other special-purpose activities and relays.
i know, i already did this, thanks for your stellar base to build off
currently it doesn't enable the ad-hoc scheme of composition you designed but i will be putting this back in, right now just focusing on making the #layer2 integration with a secondary event store smooth so we can get the last tranche of our grant funding and keep being employed 🤣
also, no, it's not up to the clients when they decide to auth
that is the relay's prerogative and the clients have to account for all reasonable conditions
I've also never worked directly on an event store type of thing. Just used something that had one. So, that's new to me.
Only used RDBs, NoSQL, Object DBs, etc.
well, you got part of it... building interfaces to nostr relays is not gonna be that complicated, you maybe have seen fiatjaf's eventstore repo
my personal pet project would be to build out a pnyxDB cluster back end... pnyx is very scalable, 200 replicas with fast convergence, it's better than anything proof of stake shitcoins use, and it's built on Web of Trust
https://github.com/technicolor-research/pnyxdb
i've been watching this idea develop since 2017, used to be called "SporeDB" and now pnyx as in the hill of democracy in athens, i see blossom as being a good option for raw events but pnyx could build out a distributed index for search
Oh, the drafts.
Yes, but a key can always be compromised.
don't shift the goalposts
you are aware of how unlikely that is, you do your homework...
Yeah, encryption is pretty tight.
I put my nsec in all sorts of new clients and pray for the best, tho. 😂 I'm worst case.
yeah, it's understandable to be skeptical, and lots of the code is vulnerable, when it runs on a web browser, 100x more likely to be vulnerable from XXS
it's just a part of a general trend in software these days... security is subordinate to functionality, and what security they do implement is usually excessive and heavy handed and doesn't actually work
And I don’t want it to remain private. I want it to be public and accessible by those interested in accessing these ideas, not gate kept by some do-gooder busybody just because the software technically allows it.
Might doesn’t make right. Just because you can do something doesn’t mean you should.
Just because someone else can do something, doesn’t mean you have to take it without objection.
You want everything public, but you'll waste your time complaining that someone you don't like is reading it.
That's like complaining about someone reading a website you've published or a movie you've produced and rating it as crappy.
Ratings are also free speech. 🤷♀️
No, it’s not remotely like that.
An earnest rating of your movie is free speech. An organized campaign of fake reviews to kill your movie’s reach is not.
Big difference.
And you are in charge of determining which review is real and which is Fake News?
What committee or universal algo will decide this?
THIS IS WHAT WE CAME HERE TO ESCAPE.
Why are you defending the indefensible?
It doesn’t matter if I think something’s real or fake.
We’re talking about the difference between someone earnestly saying “I watched the movie, and it sucked.” Fine.
And someone creating 1000 bot reviews of your movie saying it sucks in different ways so that no one sees it.
How is this not obvious to you?
Because the bots are code and also free speech. Who determines what are the good bots and the bad bots? Who died and made them King of Bots?
Nobody. Nobody has that power and nobody should want that power.
Anyone can write anything, so long as I don't have to read it and I don't have to let them write on relays I pay for.
That’s exactly what the bot in question is doing! Deciding who the good and bad posters are. And you are defending it!
If we agree that no one should be the arbiter of good and bad bots, surely no one should be the arbiter of good and bad people.
And therein lies Popper’s Paradox of Tolerance: the only thing we cannot tolerate is Intolerance because it destroys tolerance..
So if someone else is destroying your free speech, you should not tolerate that as speech. If someone is saying disagreeable things, that’s speech that, however disagreeable, should be tolerated.
He is voicing his personal opinion. He is not deciding for everyone, everywhere.
Don't like his opinion? Mute him.
No he is not!
If someone doesn’t like my movie and voices his personal opinion on it, fine.
If someone doesn’t like my movie and creates a bot to post 1,000 negative reviews to deter others from ever seeing it, that is not.
I can mute the bot creator, sure, but now no one will see my movie, my speech is curtailed, not due to his negative opinion on it, but due to his actions to mislead others into thinking 1,000 independent people share his opinion when they don’t.
These bots are a scourge, and though opportunists absolutely will build them, if you don’t create an ethos to enact a reputational cost, I think we’ll soon find the public square here less usual than Twitter.
less *useful*
You are missing the fact that the other people can write bots that mute bots and we have tools like WoT and relay separation to reduce data noise.
Humans will have the ability to curate their feed and clients and relays can adjust settings and offer filters.
But that's all the part you so don't want, so whatever. Done discussing it.
You’re missing the part that just because it’s code doesn’t excuse bad behavior including fraud, doxxing, libel, etc.
No idea you have a problem with me calling it out and encouraging others not to tolerate it as a matter of principle.
Same reason bitcoiners call out shitcoiners. Just because you can build a shitty scam coin doesn’t mean you should.
We can stop talking about it, no problem though.
Some free speech is freer than other, it seems, if one puts enough resources into it.
Those who shout the loudest (e.g. with a gov't sponsored botfarm) will always mute the voices of sanity.
I've spent enough time on unregulated media to confirm this: where the mainstream propaganda is silent, "anti-mainstream" and equally absurd propaganda rises.
Nostr doesn't seem to be an exception as of now.
It's not. Everything that can be boted is doomed to change. A bot that censors other bots is also just a bot and all of that ends in a huge bot war wasting lot's of resources. No more human interaction necessary.
The good news is, that you can run your own relay with your friends. But there's no fame in it 😘
and saying you can't say something because you impute intent to be against the public is despotism
straight up totalitarian censorship
if you can't recognise the difference and how accusing others of malicious propaganda campaigns is a malicious propaganda campaign then i have no words
You're looking at this from the POV of a coder.
Software is necessary but not sufficient.
Just like the Constitution is a brilliant legal document. Necessary, but not sufficient.
The ethos of the people is also necessary.
I’m working on that “code” with my posts.
You can't decide what someone writes to their own relay, regardless of what it is, and you shouldn't even want to.
Anything else is limiting the freedom of the press and freedom of expression.
That’s a non-sequitur.
My speech can’t stop anyone from writing something to a relay.
It can very much (if persuasive) help deter those who would curtail free speech on the platform from attempting to do so.
If you need users with ethos you're doomed 😕
The internet 1.0 was designed by real engineers, not hipster cryptobros who don't know anything lower-level than JSON and websockets and piggypack off the ready-made inventions taken for granted at OSI level 7.
Remove internet 1.0 et voila, Nostr, at its current state, is nothing. Recreate all the levels and then you'll be able to call it like that.
Nostr is open and public and everyone can do as they please, and build what they please, but we are still a community and act upon what we consider a bad practice. We, users, relays fight and block spam and illegal/unwanted content. If we as a community get to consensus that something like this is not desirable we can act. Relays can block, as users in this scenario there is much we can do, just make our voices heard, we can also fight back. And I will unleash hell if that bot keeps labeling my content.
I don't allow this bot on my relay. 🤷♀️
