Have these blackhat people actually reached out to the clients before this talk on security vulnerabilities of nostr, I wonder?
Also from the description is this a protocol-issue or a client-issue?
#asknostr
Discussion
yep, the research is a couple years old and iirc they found issues in Damus and OpenVibe that are now patched
they contacted me two years ago and showed me an attack where if you connected to a rogue relay it could send forged notes.
at the time I was busy with all the nostr hype and it was an obscure attack and I felt like the threat wasn't realistic for most people at the time and I had more important things to work on.
this eventually convinced me I need a more robust engine that de-duped and checked everything as it came off a subscription, which lead me to build nostrdb.
this combined with apple censorship sent me off on a quest to build a new client from the ground up that was hardened from day one, the client I am now writing this note from on my android phone.
Daniel has a few more patches that fixes a few of these remaining issues when connecting to rogue relays, but we can't even release them because apple has officially blocked us from releasing new updates without removing zaps again.
Daniel is also working on migrating damus to androids's local relay model (only talking to the embedded relay) which should make everything a lot faster and secure like damus android
this of course would be a huge issue in the outbox model, which is why we need full nostrdb integration first before we can do that, and why it's been delayed so long on damus iOS.
we can also easily do it on damus android now, it's just a matter of refactoring our subscription manager.. no longer do we need to worry about relays doing weird stuff like non-matching queries or malenated notes
thanks for the detailed explanation Will, you're on the right path. long and hard but it's worth the effort.
I don't understand the reply but I am impressed.
We are looking for an investor who can loan our holding company 237,000 US dollars.
With this money, we will open a farm in Baku, Azerbaijan to produce animal-based food.
We will also make our own animal feed, so our products will be healthier, better quality, and cheaper.
Because we sell quality products for less and have strong advertising, we will sell more worldwide and make big profits.
Why Azerbaijan? Because animal farming makes a lot of money there, but few people do it. That’s why we will earn more by starting in Azerbaijan.
Additionally, by producing our own animal feed, we will be able to sell healthier, higher quality animal products at a lower price.
Since we can sell quality products cheaply and thanks to our strong advertising network, we will be able to sell more internationally and make huge profits.
The reason for establishing the business in Azerbaijan is that animal husbandry is a very profitable business in Azerbaijan, but since there are very few people doing animal husbandry, establishing the farm in Azerbaijan will provide us with more income.
Your profit:
You will lend 237,000 US dollars to our holding company and when 22.03.2026 comes, you will receive your money back as 953,000 US dollars.
Your earnings will be great. When 22.03.2026 comes, you will get your money back as 953.00 US dollars.
You will lend 237,000 US dollars to our holding company and when 22.03.2026 comes, you will receive your money back as 953,000 US dollars.
When 22.03.2026 comes, I will give you back your money in the amount of 953,000 US dollars.
That means you will earn 716,000 US dollars profit in just 9 months.
If you like this project and want to loan us money, message me on WhatsApp or Telegram for more details.
If our project is suitable for you and you would like to lend money to our holding, send a message to my WhatsApp number or Telegram username below and I will give you detailed information.
For detailed information and to lend money to our holding, send a message to my whatsapp number or telegram username below and I will give you detailed information.
My WhatsApp phone number:
+44 7842 572711
My telegram username:
@adenholding
lol such a nothingburger
Gotta hype their event I suppose. It's curious enough that they thought nostr was worthy of the effort and a talk. That is... Something, no? 🤔
Was the attack publicly documented?
I think they're talking about NIP-04 DMs which have been deprecated for a long while, but popular clients still use them. Maybe this will give them a reason to upgrade
Client issue for sure.
Seems like this one is a non-issue for me. If someone is talking with me then why would I care if they are impersonating someone else? I'm just glad to be talking with someone.
And my information threat model never assumed Nostr DM's were private anyway, since nothing stops the person I'm talking with from simply posting everything publicly themselves.