Running a spam bot, the content will be "MY PRIVATE KEY GOT STOLEN AND THIS IS MY NEW PUBLIC KEY <...>"
Discussion
What if the hacker is running a bot that posts the exact same message but with a different public key— an account controlled by the hacker and used for extended lols?
My new one will be nip5 verified using my domain, the attacker one will be not
Good point. Although if you ask me the NIP-05 of most well-known people here I have no idea. I'd need to check. But maybe the hacker could swap out the NIP-05 of the currently hacked npub to match the NIP-05 of the fake new npub, so people checking there would be fooled? (I know it'd come out in the wash eventually, just trying to stress test the thought experiment here.)
What do you mean by "But maybe the hacker could swap out the NIP-05 of the currently hacked npub to match the NIP-05 of the fake new npub"
The nip5 can't be swapped, for example my nip5 is @4rs.nl the attacker can't acquire it unless they have access to my DNS.
I mean the hacker swaps out the NIP-05 in the profile data of the hacked account. It was @4rs.nl, but then the hacker swapped in @4rz.nl, a domain the hacker owns. (They send that overwrite to the relays.) Then people who didn't know your NIP-05 have a look in the hacked account, see it's @4rz.nl, and that that matches the NIP-05 of the fake new account created by the hacker.
You know what, just use an offline signer. Or hardware signer, I saw #nostrudel supports it.
Yeah I'm all for hardware signers. Appreciate the banter, just trying to run the thought experiment through to think how to best onboard new users. There was an LNBits signer back some time ago, but you had to flash it and all—anything plug and play by now?
> anything plug and play by now?
I don't know, I didn't search for it, I'm using offline Amber, blocked it from using the internet using #ProtonVPN
run your spam bot from your own leaked nsec, posting "THIS NSEC IS LEACKED"
Yeah but the hacker can run a bot too.
- A bot that instantly sends a delete request for every message posted by the spam bot
- A bot that follows up every spam bot message with forged clarifications (follow me on my new npub at...)
-A competing spam bot that responds to your spam bot's response and says "This is the real account to follow me on, check to see it matches my NIP-05" (But that hacker has already swapped out the NIP-05 in the hacked account to match the fake new one the hacker created).
then your bot should delete the deletion events and tell people not to trust anything posted by this npub
I suppose. Though what about for someone without enough of a programming background to engage in bot wars? Normal users with no programming background at all and no savvy friends I suppose would be complete victims—all attempts to alert others would be thwarted or hijacked by the hacker. (They could only communicate the issue off Nostr, but who would know of their off Nostr presence?)
in real life this isn't a problem. plenty of people on nostr have migrated from compromised profiles
Ah yeah, I've been looking for those cases. Have you got an example of a compromised npub that's been left behind? Or a new npub someone moved to afterwards (so I can go back and see their first hello there explaining the situation and the move)?