If any relay admins see some strange events today, sorry about that, I'm trying something.
NIP-26 is extremely smart. It should be a requirement for signing into any client.
Hot keys for your Nostr clients, cold key just for signing delegation events.
This is critical though: https://github.com/nostr-protocol/nips/issues/654
A note about public transportation: Exploit that time! The best part about not driving is doing something else while you travel. Bring a book and read. Bring a laptop and code. Don't just sit and look at the window (unless that's what you want to do).
This whole account was conceived on buses and trains.
Sounds like an image proxy. Whatever client you use didn't forget it when implementing NIP-30.
🧙♂️🔮 I can see your IP Address 🪄
:a: :b: :c: 🔳 :d: :e: :f: 🔳 :g: :h: :i: 🔳 :j: :k: :l:
This is entirely hypothetical, but if somebody managed to leak a large number of nsecs, the funniest possible thing to do with them would be to shuffle them and then DM them back to everyone affected and watch who takes liberties with the key they received. Then post a list of who got who's key and let the drama unfold.
Oh, are accounts without followers unable to send a note through Mostr, or do you just mean that they ended up with an audience because of the history of the account?
The real issue is inconsistency. Different clients have different ways of trying to protect you from the same features, all of which are implemented differently.
Also, using an image proxy may protect you from leaking your IP, but as I have mentioned previously, this would now mean that URLs from your end-to-end encrypted messages would be decrypted and sent to the proxy, damaging your privacy in a different way.
Ultimately, my take on Nostr web clients is that if you're using any other browser than Tor Browser, you're doing it wrong.
I'm not going to pretend that what I did wasn't trivial. It was.
But if this trick is so uncreative and unoriginal, why hasn't this attack vector been resolved yet?
If nobody has a reason to fix this, I'll give them a reason.
I host the server, and DM people a unique image URL, so when they open that specific URL I'll know who they are and the IP they connected with.
That's fair. I will consider doing this next round.
1) Agree on the anime p*rn being an eyesore for most. Certain relays have more than others. Agree protocol allows for this, and it is the tradeoff of censorship resistance. I see onboarding as the initial part of the challenge here. Specifically on Damus, the current band-aid solution during onboarding is to have a list of suggested profiles to follow thematically separated (homesteading, parenting, media etc.). Discovery post-onboarding, and the "universe view" is the never-ending continuation of this question. Team is aiming to explore the design, and experience here soon ™️ .
Further to the **** problem, there's some work done on using opt-in sensitive image scanning on Damus. It's not complete, and not yet tested for reliability and robustness.
2) > Centralizing a core Nostr codebase under GPL would keep it property of the people forever
My understanding is nostr code is licensed (verbatim) as "public domain".
3) I got you, and appreciate effectively pointing out a single weakness thus far. I hope you continue exposing weak points. Here is a proposed solution for a single client: https://github.com/damus-io/damus/issues/1897. If you have feedback on this solution, I'd be happy to pass on to the dev team. If it's just the problem statement/issue you want to share, I am happy to put on the radar of various nostr clients by generating a bunch of issues.
Lmk if/how I can be of help.
One fundamental flaw I see with this idea is that if you are addressing the method in which I gathered these IPs (via DM), you would have to send decrypted URLs from a users end-to-end encrypted DMs to the image proxy, which endangers privacy in a new way because it revealed part of the message to the proxy. Now you have to trust the proxy with potential secrets.
Link Previews are also a vector for attack here, and it would be even worse to send all DM'd URLs through the proxy.
I also worry that image proxies could bloat the cost of running a client, are a form of centralization (this solution only benefits Damus users), and are a vector for DDoS/Abuse.
And to clarify, I did this by DM, with a new account for every message, and a unique URL for every user I DM'd.
Fetching media with the pubkey in the URL. 😁
User @npub16w4hqhk90ul2jclu03r8hhw8k9alqxu94nz0hv2wakra7722z9kqyjy9tu was seen connecting to #Nostr in the past day with IP 104.28.204.78. https://iplocation.io/ip/104.28.204.78 #NostrExposedIPs
User @npub1jv2dh4wrn98p9v4sthhmpyrkeyjfetn8gjuf4xxn6gnh0exr3npsthqma7 was seen connecting to #Nostr in the past day with IP 104.28.83.161. https://iplocation.io/ip/104.28.83.161 #NostrExposedIPs
User @npub1rfd0hxdzcze6pzj29thuz34vur57wm9quje7w3edxjgusq6m47csnl7wrt was seen connecting to #Nostr in the past day with IP 104.28.32.191. https://iplocation.io/ip/104.28.32.191 #NostrExposedIPs
User @npub1h34n29f3wqvcht0jyhnd36jxcdmljyqjv4vdjfrd69nhxhrdvvnsgwr4h0 was seen connecting to #Nostr in the past day with IP 77.68.101.217. https://iplocation.io/ip/77.68.101.217 #NostrExposedIPs
User @npub1sn0q3zptdcm8qh8ktyhwtrnr9htwpykav8qnryhusr9mcr9ustxqe4tr2x was seen connecting to #Nostr in the past day with IP 104.28.96.122. https://iplocation.io/ip/104.28.96.122 #NostrExposedIPs
User @npub1ra5456yrem6h0h8tl8rqqsg3zae2vn35jr9jn8pmjl7grtfeq86qy9xmjd was seen connecting to #Nostr in the past day with IP 192.101.67.58. https://iplocation.io/ip/192.101.67.58 #NostrExposedIPs