I doubt they're actually canceling, just signalling to their peer group.
What is Pfizer vaccine DNA found in colon cancer biopsies 1 year after vaccination?
Why is it higher copy number than the original vial?
https://anandamide.substack.com/p/sv40-origin-of-replication-in-mammalian
I've learned a ton by following Kevin as he researches the DNA contamination (aka "process related impurities") in the new mRNA vaccines. It's an uncomfortable topic but one that must be resolved. Kevin is mostly active on X but it's nice to see him on #nostr too.
His latest talk can be found here: https://x.com/Kevin_McKernan/status/1849653985235329350
#cancer #mrna #vaccine #research
Here's a quick postmortem on the Coracle vulnerability from this morning. If you haven't heard about it, please see below.
First off, the offending line of code was incredibly stupid. It only took a glance to realize that something was incredibly wrong. I went back and git-blame'd the line, and discovered that it was the result of a refactor, where a local variable named `session` was replaced by an imported variable with the same name. The former was a random string (in keeping with my attempts to anonymize users). The second was a user session object, complete with private key.
This leads me to my first observation, which is that no one is auditing nostr apps (just as no one is auditing most software out there). In many cases, there isn't even a code review step, because many of us are solo devs. Just because something is open source doesn't mean you can trust it. Just because you wrote something doesn't mean you can trust it! My key was leaked right along with those of my users.
Code review aside, there were some mistakes I made that resulted in the incident being worse than it could have been:
1. I used analytics and error reporting.
2. I did not self-host my analytics and error reporting.
Because I was using a hosted error reporting service, their servers were implicated in my mistake. Had I been self-hosting, I could be more confident that the data I have deleted is actually gone (even if my users don't have the same assurance).
Action item number one: analytics and error reporting are important enough to being able to develop Coracle that I'm not planning on getting rid of them, but I am moving immediately to self-hosted options. If you want to opt-out of that data collection, there is a setting for that within Coracle.
Another mistake I made is that I trusted myself to safely handle my users' private keys. This is more than just my mistake; despite the growth in use of remote signers, it's still very common for nostr applications to offer private key login or generation. But after this incident I'm of the opinion that no one should be handling unencrypted private keys, except for signers.
Applications should not generate private keys or allow users to sign in with them. Period. In fact, I propose we sunset the term "nsec" entirely. There's no need to make a friendly encoding for something that users should never see. Instead, users should be asked to export their private keys in the password-protected ncryptsec format only. This prevents clipboard attacks or poor key management from compromising users.
This is action item number two: I've already removed private key login from Coracle, and will shortly be re-working my onboarding process to redirect users to set up a remote signer instead of generating a key.
This will have implications for UX, and might make things more difficult for new users in the short term. But as nostr:nprofile1qyt8wumn8ghj7etyv4hzumn0wd68ytnvv9hxgtcpz9mhxue69uhkummnw3ezuamfdejj7qgkwaehxw309ahx7um5wfjkc6t5v4ejummjvuhszxrhwden5te0wfjkccte9e38yctev3hkutnrdakj7qf9waehxw309askycmyv4nxwv3sxg6rqvfsxserqdf5xqczu7re0ghhvvf0waesqgqml8ernh9pvds5n0p08lpngpm6a9v749s8et8eghhclzajylw9uyzh4qru pointed out, the longer we allow users to treat keys like passwords, the longer they're forming poor habits for keeping their keys safe, because the two are categorically different. Removing support for private keys will cause pain in the short term, but will force us to improve our integrations with remote signers, improving security and UX in the long term.
That's all I've got for now. Thank you to everyone for your graciousness, I appreciate all the support. I'm honestly glad this happened, and I hope it will galvanize all of us into action to continue to improve nostr's security.
Kudos for being transparent about this. I wish more devs were as humble as you.
Whoa, I can't believe YouTube hasn't censored this yet. I'm glad people are making videos like this.
The goalposts keep moving in convenient 5 year increments. Why do people keep falling for this?
#climate
https://www.cbsnews.com/news/climate-change-un-report-disaster-emissions-future/
Weird, my client only shows a preview for NomadBSD. Trying again...
These might be good recommendations for FreeBSD on the desktop, especially GhostBSD.
"It's a common assumption that the issues within the security model of desktop Linux are only "by default" and can be tweaked how the user wishes; however, standard system hardening techniques are not enough to fix any of these massive, architectural security issues."
"The hardening required for a reasonably secure Linux distribution is far greater than people assume. You would need to completely redesign how the operating system functions..."
What is the best way to acquire bitcoins?
- Stacking sats
- Work to earn it
- Sell products/services for bitcoin
- Complete free tasks to earn free sats e.g here; https://bitcoiners.africa/earn-section/places-to-earn-sats/
- Find an old lost USB Bitcoin wallet from 2009 π
- All of the above
The webpage is a good resource. I wish each option said whether KYC is required or not. π
I just listened to this podcast and holy hell, the amount of suffering this woman and her family endured is hard to comprehend. Her story is an inspiration for anyone who feels like they're at the end of their rope.
#nutrition #health
Wow, they changed the oil in 1990. Did the other fast food chains switch around that time too? (The video won't load without me logging in)
I give them a little respect for standing their ground about closing on Sundays, but that's it.
[Re nostr:nprofile1qqstzt0wugc7sklvr8e7fcl7ukyn63ym3ns4nmf2mnk0vqnz4l9x65qpp4mhxue69uhkummn9ekx7mqpr4mhxue69uhkummnw3ezumtfv3jxc6twvuhx67tydeeju6nsqythwumn8ghj7mn0wd68ytn5dacx2arg9e5kuen0te28kw: current newbie nostrich onboarding strategy]
For me, it depends on whether I'm there with them in person, or if we're chatting over the internet.
If I'm there to hold their hand, these are the steps I've been doing that work very well:
1) Give them the quick spiel on the client/relay model and why it's awesome
2) Get them setup with nostr:nprofile1qqs9xtvrphl7p8qnua0gk9zusft33lqjkqqr7cwkr6g8wusu0lle8jcpp3mhxue69uhkyunz9e5k7qg4waehxw309ajkgetw9ehx7um5wghxcctwvsqs6amnwvaz7tmwdaejumr0ds2g5zx8 on their phone (the built-in β‘οΈ wallet is a major step-saver)
3) Have them make a killer #introductions post, with a couple pictures of themselves and a quality intro on why they're unique/awesome
4) Show them how their post appears on a completely different client on my phone, and send them some zaps
5) I have them download a second client on their phone and log in, so they get a feel for this multi-app dynamic ( nostr:nprofile1qqs24yz8xftq8kkdf7q5yzf4v7tn2ek78v0zp2y427mj3sa7f34ggjcpzamhxue69uhhv6t5daezumn0wd68yvfwvdhk6tcppemhxue69uhkummn9ekx7mp0qyg8wumn8ghj7mn0wd68ytnddakj703s8dt / nostr:nprofile1qqsraldwhvwcjgltmxwfu7kw8dqef2692yhzheuurd7k3kfy8cxjdqgpz3mhxue69uhhyetvv9ujuerpd46hxtnfduq3samnwvaz7tmhv4kxxmmdv5hxummnw3ezuamfdejsz9thwden5te0v4jx2m3wdehhxarj9ekxzmnype9f6h depending on their phone)
6) I have them pull up their Primal wallet so they can see the zaps I sent them earlier, and by this point usually a few other friendly introducers have zapped as well
7) I show them my own wallet with six-figure sats in it, and describe to them the big-picture vision on how this is REAL MONEY earned by posting thoughts & memes, which can now be used in the real world.
After all of the above, I've seen a very high π€― rate.
NOW...if I'm DMing someone over the internet, I take a different approach. I usually focus on smaller steps, i.e. touchpoints and educational resources, since as they'll be going through the steps themselves, they'll need a stronger foundation on WHY #nostr is so powerful.
A few of my favorites:
- "The Power of Nostr" by nostr:nprofile1qqsw4v882mfjhq9u63j08kzyhqzqxqc8tgf740p4nxnk9jdv02u37ncpz4mhxue69uhhyetvv9uju6mpd4czuumfw3jsz9nhwden5te0wfjkccte9ec8y6tdv9kzumn9wsq3yamnwvaz7tmsw4e8qmr9wpskwtn9wvql3tqm
- "The NOSTR Protocol: Social Media 3.0" by nostr:nprofile1qqspnhx537zxue3r65nyucqug8wtuxzw4ndwd4k6rywvnwq6j728hngpzamhxue69uhhyetvv9ujucm4wfex2mn59en8j6gpzemhxue69uhhyetvv9ujumn0wd68ytnzv9hxgqgjwaehxw309ac82unsd3jhqct89ejhxzegc0t
- "How To Earn Bitcoin And Join The Creator Economy With Nostr" by nostr:nprofile1qqswmf5ytnpzdxl2zrcpqaz2672qnt9hz2wedptaf0ceuqnkjc5e9ysu7qx9d
- My podcasts with nostr:nprofile1qqsr7acdvhf6we9fch94qwhpy0nza36e3tgrtkpku25ppuu80f69kfqpramhxue69uhkummnw3ez6un9d3shjtnyv4ex26mjdaehxtndv5hsz9mhwden5te0wfjkccte9ehx7um5wghxyctwvshszxthwden5te0wfjkccte9ekk7mt0wd68ytnsd9hxktc79dllq, nostr:nprofile1qqsr9cvzwc652r4m83d86ykplrnm9dg5gwdvzzn8ameanlvut35wy3gpz3mhxue69uhhyetvv9ujuerpd46hxtnfduq3qamnwvaz7tmwdaehgu3wwa5kuegpp4mhxue69uhkummn9ekx7mqcu9929, nostr:nprofile1qqs8d3c64cayj8canmky0jap0c3fekjpzwsthdhx4cthd4my8c5u47spz4mhxue69uhhyetvv9ujumt0wd68ytnsw43qz9rhwden5te0wfjkccte9ejxzmt4wvhxjmcpzemhxue69uhhyetvv9ujumn0wvh8xmmrd9skchd02dz, nostr:nprofile1qqsxknkf3upwv3lqz3qtguammy48lt3puqdk4fkxtcedh99rvzfzwtspz9mhxue69uhkummnw3ezuamfdejj7qgwwaehxw309ahx7uewd3hkctcpzamhxue69uhhyetvv9ujuurjd9kkzmpwdejhgtcy39xe5
- And for the real hardcore diggers: StudyNostr.com
From my knowledge, I haven't yet found a "perfect" onboarding experience yet where I can confidently send both of the above groups, and know they'll be in good hands to receive both the educational crash-course AND a smooth account + wallet signup, but I know client devs are working hard on building these ramps as we speak.
If there are any good ones out there I'm forgetting, please share! Now is the time to always be refining and adapting to new processes as this ecosystem continues to emerge π±β‘οΈ
8) Point them to Bitrefill.com to show them how easy it is to turn sats into gift cards for purchasing things on Amazon, etc.
I found her recently on X. She puts out a lot of health content. Can't vouch for it yet, but her story caught my attention.
Edit: I should have said "privacy-focused" in the previous post.
I already use encrypted vaults, but I guess I need to encrypt the whole partition/drive too. My point is this should not be necessary for a security-focused app like Signal.