lol! Really nostr:npub1jlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3qdjynqn ? Why the space?
And yes, he is the top result when I add the space...
I keep fixing it and it keeps coming back
Happy Independence Day. Even if the American War for Independence collapses into woke crony socialist fiat after 300 years, I hope it will always inpire people who love freedom to do what their time demands of them.
.jpg)
nostr:nprofile1qqsf03c2gsmx5ef4c9zmxvlew04gdh7u94afnknp33qvv3c94kvwxgspr9mhxue69uhkscnj9e3k7unpvdkx2tnnda3kjctv9uq32amnwvaz7tmjv4kxz7fwv3sk6atn9e5k7tcppemhxue69uhkummn9ekx7mp0g4rts7 happy 4th, flotilla is really coming along nicely π€
You as well! Let me know if you have any suggestions or complaints, refinement is next
Damus could be better, could be worse.
When I searched for "hodlbod" his profile was not returned at all in the top results, even though I follow him:
I had to scroll WAY down before finding the first profile with that name:
Aaaaaand it was an impostor:
But, when I go to the correct nostr:nprofile1qyvhwumn8ghj76rzwghxxmmjv93kcefwwdhkx6tpdshsz9thwden5te0wfjkccte9ejxzmt4wvhxjme0qy88wumn8ghj7mn0wvhxcmmv9uqzp978pfzrv6n9xhq5tvenl9e74pklmskh4xw6vxxyp3j8qkke3cezglmm4w profile, I see that other people I am following also follow him:
Sadly, there's no real indication on the fake profile that it is probably a fake, unless a user already knows what to look for, such as lack of NIP-05 (though scammers are starting to add NIP-05s, too), and no indication that anyone I am following also follows them.
Only if we use NIP 13, but that's not a bad idea
Sure, but also design matters. Wot isn't a panacea, I'll give you that
Yes, which is one reason why we need wot
#askNostr,
As we should all know, it's pretty trivial for a Nostr user to change their profile name and picture. I think this is a good thing (maybe couldn't stop it even if we wanted to). However, it seems like this ability could be gamed to help facilitate impersonators in a way that could evade most detection: e.g. if an nPub I'm already following decided to impersonate another nPub I'm already following, I don't think I would notice.
Obviously, this would require a much longer game by a would-be impersonator than the issue nostr:npub1jlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3qdjynqn is addressing in his note I've quoted here; but, the solution to this long-game impersonator might be pretty simple: Nicknames (a la, what the Signal app uses). If every entry in your follow list also had a 'Nickname' field, it could easily be used to always display the nPubs name that was used at the time you chose to follow that nPub; or even whatever Nickname you chose to assign to that nPub. Maybe clients could allow you to toggle between displaying the nPub's chosen name, or whatever nickname you've chosen for the nPub, or perhaps both simultaneously.
At this point, I'm just rambling; and this doesn't currently seem to be a big issue; but whenever I notice someone who I follow has changed their profile name otherwise unannounced, something in the back of my mind is tells me this presents a potential danger that could be hard to detect.
This is definitely a weak point of WOT, once it's infiltrated you have to get rid of the attacker another way. We've actually had "petnames" for as long as I've been around, the problem with them is people aren't likely to assign them unless people's own names are confusing to them. Adding petnames publicly also has some privacy implications which would make them hard to share.
Just figured it out, just check the zap request (which is embedded in the zap receipt) for authorization.
Yes, but in order to avoid hosting non-group zap receipts I'd have to parse the zap receipt and make sure the p-tagged user (or even e-tagged event) is on the relay. Not impossible, but also not clean
If there's any activity on telegram, I'm not aware of it. I left the nostr group long ago. I do have a flotilla instance set up just for this purpose, which you can join at relay.nostrtalk.org with the invite code `nostrtalk`. Not much is going on there, the conversation is too fragmented across different sub-protocols, but it's something.
NIP 29 is deceptively hard. Trying to implement zaps on access-controlled groups right now, and I either have to have the zapper send them to publicly writable relays, or white-list zap responses on the group relay somehow, since the zapper doesn't have permission to write to the group.
nostr:npub1n0stur7q092gyverzc2wfc00e8egkrdnnqq3alhv7p072u89m5es5mk6h0 has some really good wot indicators
https://cdn.azzamo.net/5857f018c6e9edd3e5a860e0ee8b4e5c8a3979741d42bef7fc950f16a4522f91.webp
https://cdn.azzamo.net/c303047ea0fdb40b7bc2d7df405f57a85fd99b84b906214a513a9cf7f8abada2.webp
https://cdn.azzamo.net/51995d58ad38e4aa399e0d723400ef8b9e4a876546173eb7b1c1a0fe647a5551.webp
Wow, I have infinite volgers, cool! The negative flag is really nice, how are you calculating that nostr:nprofile1qqsfhc97pejd8z3f488vnfwgaawcw0ptlffk9f94trd9la5mc09ms8s0y9649? I'd be afraid of false positives.
Watched Wild Strawberries last night. Been thinking about it all day. My first Bergman film, and it did not disappoint.
Mayyyybe but only if permissions are properly locked down. I opened a PR for this and reactions were mixed: https://github.com/nostr-protocol/nips/pull/1795
If your wot calculation depends on no false positives, it won't work, sure. Set a threshold, incorporate mutes/reports, show a number, etc. Lots of ways to improve the most naive version.
That's a different thing, but also worth building. Real validation is a harder problem than preventing impersonation of popular accounts. Social key rotation is also the way to go IMO
Thanks for following me nostr:npub1jlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3qdjynqn! Couldnβt believe it at first, but the badges in nostr:npub1n0stur7q092gyverzc2wfc00e8egkrdnnqq3alhv7p072u89m5es5mk6h0 by nostr:npub1n0sturny6w9zn2wwexju3m6asu7zh7jnv2jt2kx6tlmfhs7thq0qnflahe sure helped in distinguishing the real from the fake. Itβs also neat that thereβs an option for disabling them.
Ohh, those are badges. Interesting. Those also seem pretty easy to fake for a persistent attacker.
Not on coracle, that would require downloading a ton more data. Not sure about vertex, they might have the resources to do that.
π I thought about making a long form but didn't want it clogging up my blogs
nostr:nprofile1qyghwumn8ghj7mn0wd68ytnvv9hxgtcqypex583xrnryw3n5aq59uw23kwa38xlf5aeart85nhyx3kuxrgwpzjh056v I'm having a little trouble with zapstore this morning, got this error when trying to publish a release:
> Publishing kind 32267...Exception: error: SQLiteError: database or disk is full
zapstore install zapstore also hangs searching for zapstore
You're always talking about your users. Don't you care that your search does nothing at all to help them differentiate between real people and scammers?
That doesn't seem particularly helpful
Nostr will fail to the extent that people can't tell an impersonator from the real thing. The number of reports I get about my impersonator indicates to me that nostr is failing. But it doesn't have to be this way! Web of trust fixes this.
Let's play a game of "spot the impersonator". I created a fresh impersonator account with a valid NIP 05 from nostrplebs and all the same profile data. I didn't bother to clone my notes or create a bunch of sock puppet followers, but that could easily be done, and would improve the resemblance.
Coracle:
Pretty good if I do say so myself. Social trust is shown in two separate ways: web of trust indicator and followers tab (although followers is not complete or sybil resistant).
0xchat:
Exactly the same, other than NIP 05 address, which I don't consider any sort of validation at all. This is a classic phishing maneuver, and recently allowed nostr:nprofile1qyfhwumn8ghj7am0wsh82arcduhx7mn99uqjzamnwvaz7tmjv4kxz7fwwd5xzamw09jkzem9wghxxmmd9a5kucn00qqjqamnwvaz7tmjv4kxz7fwwd5xzamw09jkzem9wghxxmmd9a3ksct5qy38wumn8ghj7un9d3shjtnndpshwmnev4skwetj9e3k7mf0da6hgcn00qqjxamnwvaz7tmjv4kxz7fwwd5xzamw09jkzem9wghxxmmd9ac8y6tkv96x2qpqclk6vc9xhjp8q5cws262wuf2eh4zuvwupft03hy4ttqqnm7e0jrqlg4lcf's impersonator to trick some people.
Yakihonne:
Some social indicators are shown, but are not sybil resistant. They're also down the page a bit, and might not be noticed by users.
Jumble:
No social proof indicated at all β the tabs at the bottom can easily be faked by the impersonator.
Nostter:
No social proof, and failed to validate the NIP 05 for the real user.
Nostrudel:
Nostrudel does something original in showing the public key color. But how often are you going to memorize a user's color? I'd argue this is even worse than nothing because it obscures the NIP 05, which _might_ tip you off.
Iris:
Iris shows wot-vetted "known followers", which is good. In other places, a wot-based check mark is shown next to user avatars. This should probably be added to the profile page too, but still, pretty good.
Amethyst:
Amethyst shows some social proof, but it's hard to tell exactly what those profile pictures mean.
Primal:
Like yakihonne, social proof is visible, but not sybil-resistant.
Let's take a look at search now. Some clients do a much better job at this, some do a MUCH worse job.
Coracle:
WOT indicators, correct sorting, complete results. Arguably, the impersonators should be filtered out entirely, but I personally prefer to have them included.
Jumble:
Same thing, minus WOT indicators. Not bad.
Nostrudel:
It's a pass, but I'm not sure if duplicates are filtered out on purpose or not. The check marks indicate NIP 05 validation, not wot validation.
Yakihonne:
Only shows the legit version, along with a badge (I'm unsure if it's NIP 05 or something else). Pretty good.
Iris:
Very limited results, WOT-based check, pretty good.
Primal:
Eliminates impersonators, show follower count, pretty good (though not sybil resistant in all cases).
The winners are Iris and Coracle for web of trust indicators, and Primal and Yakihonne in the "global view of the network" category. I'd love to see this get better though, and not just because I am now famous enough to have an impersonator. WOT calculations are low-hanging fruit, especially with the vertex DVM by nostr:nprofile1qythwumn8ghj7un9d3shjtnswf5k6ctv9ehx2ap0qyt8wumn8ghj7ct4w35zumn0wd68yvfwvdhk6tcpzemhxue69uhk6mr9dd6juun9v9k8jtnvdakz7qg4waehxw309aex2mrp0yhxgctdw4eju6t09uq3wamnwvaz7tmjv4kxz7fwdehhxarj9e3xzmny9uqzpa5rapcrtaadfazwpwvvl0v4xlskg4df9nfcem7yevcaka2h7hhjm9zju5 around. Getting this right is a core value proposition of nostr and is worth the effort.
Just got the best autogenerated jitsi room name ever:
This is the problem with using nip 05s for verification, classic phishing maneuver
Yeah, coracle loads stuff directly from the network and tries to avoid lots of duplicate relay selections, which means it's not as consistent as other clients which load everything up front.
You'll also want to find a way to avoid duplicating tags if they need to be indexed but also used in content. Which means content likely needs to be able to reference tags in either place.
Am I right? Was it Primal that did this? Or was it following.space? I lost track of the source of the hype
Person lists used for onboarding have been around for literal years. Here's Coracle's version:
Now that Primal has renamed them "follow packs" everyone is suddenly losing their mind. Not salty, just in constant awe of what a little marketing can do.
I make ginger beer for the family, it's very easy and DELICIOUS
Just to the community relay
Opened a PR for encrypted file support in NIP 92 and 94: https://github.com/nostr-protocol/nips/pull/1947
nostr:nprofile1qyghwumn8ghj7mn0wd68ytnhd9hx2tcpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhszxnhwden5te0wpuhyctdd9jzuenfv96x5ctx9e3k7mf0qyf8wumn8ghj7mn0wd68yat99e3k7mf0qqszv6q4uryjzr06xfxxew34wwc5hmjfmfpqn229d72gfegsdn2q3fgsc67r3 nostr:nprofile1qy88wumn8ghj7mn0wvhxcmmv9uq3wamnwvaz7tmkd96x7u3wdehhxarjxyhxxmmd9uq3zamnwvaz7tmwdaehgu3wwa5kuef0qqsyvrp9u6p0mfur9dfdru3d853tx9mdjuhkphxuxgfwmryja7zsvhqalgpcc curious if you think I'm doing something evil/redundant and if I should approach this differently.
nostr:nprofile1qqs0kk2ef50mg4hxcccy2rr8jwqsr08n27z64f7pts46hs07sv85fys5amhcf nostr:nprofile1qyd8wumn8ghj7urewfsk66ty9enxjct5dfskvtnrdakj7qgcwaehxw309anxjmr5v4ezumn0wd68ytnhd9hx2tcpzamhxue69uhkvun9deejumn0wd68yvfwvdhk6tcqypl62m6ad932k83u6sjwwkxrqq4cve0hkrvdem5la83g34m4rtqeg6w5ntl have either of you guys addressed privacy of media uploads to private groups? Does this PR look reasonable?
I think my problem is that I think by coding. It makes it very uncomfortable to switch to planning mode and let someone else have all the fun of actually building. But I think this is the right way to use it.