Conversation
Notices
-
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Monday, 12-Jun-2023 02:17:47 JST 
Alex Gleason
Nostr offloads security from the server to the user. This means if one user gets pwned they lose that account forever, but leaking the DMs of an entire server is impossible. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Monday, 12-Jun-2023 02:21:05 JST
Alex Gleason
@dragnucs Your identity is your public key. Your secret key is your responsibility to keep secret. You sign events on the client-side and then send them to the server. The server doesn't know your secret key, only your public key. DMs are encrypted with your secret key. -
Embed this notice
التنينوكس (dragnucs@social.touha.me)'s status on Monday, 12-Jun-2023 02:21:15 JST 
التنينوكس
@alex how is this achieved?
-
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Monday, 12-Jun-2023 02:29:18 JST
Alex Gleason
One of the problems to solve is... what if the server does need to know your secret key, because it needs to sign events on your behalf? Well, it turns out we can solve the problem differently with Remote Event Signing (aka Nostr Connect).
You store your secret key in an app, and then authorize third-party apps to sign events through it. -
Embed this notice
Rusty Crab (rustycrab@clubcyberia.co)'s status on Monday, 12-Jun-2023 02:32:46 JST 
Rusty Crab
@alex @dragnucs double edged sword. What happens every time is that some retard user does a retard thing and then the media shouts PRIVATE KEYS ARE INSECURE EXTREME VULNERABILITY FOUND and then in the article it says "user dogfarter5902 accidentally posted his private key on twitter". We saw this happening weekly with crypto. Nonetheless, that creates a reputation for the site being insecure even if it's not.
The other side of that is that it could act as a desired retard filter. I'm for building in some level of gatekeeping into software.Alex Gleason likes this. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Monday, 12-Jun-2023 02:34:05 JST
Alex Gleason
@RustyCrab @dragnucs For sure. But building on The Mastodon Network™️ is making less and less sense for us people who are trying to resist censorship. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Monday, 12-Jun-2023 02:35:26 JST
Alex Gleason
@ademan @dragnucs A remote signing hardware device would be good. Don't need to authorize it every time but it has minimal attack surface. -
Embed this notice
Ademan (ademan@thebag.social)'s status on Monday, 12-Jun-2023 02:35:27 JST 
Ademan
it’s already possible to use MuSig and FROST to keep your private key split across multiple devices, and you can lurk with just your pubkey.
I don’t know how many people would really want to use a yubikey style 2fa for shitposting but it’s totally possible.
-
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Monday, 12-Jun-2023 03:02:01 JST
Alex Gleason
@46da9d8ac399a2ec9b2fbbf8bfb51544f2d8cee9052b735dde66c91d3f56ab9f That's what delegated event signing is, and the problem is that clients and relays both have to add special support for it. -
Embed this notice
Earl Turner (46da9d8ac399a2ec9b2fbbf8bfb51544f2d8cee9052b735dde66c91d3f56ab9f@mostr.pub)'s status on Monday, 12-Jun-2023 03:02:02 JST 
Earl Turner
Why not make a nip where you can authorize a different nsec to post on your behalf. So I could make a second nsec and using my first I publish a message that lets everyone know to treat the associated npub as me. Then I could give that nsec to a server or use it in an app I don't trust, and if they use it maliciously or I don't want to use their service anymore, I can publish an message saying that npub no longer is valid for my account. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Monday, 12-Jun-2023 03:03:15 JST
Alex Gleason
@fearless @dragnucs That's why you'd use a browser extension like Alby, or a remote signing app that supports Nostr Connect. -
Embed this notice
fearless (fearless@bassam.social)'s status on Monday, 12-Jun-2023 03:03:19 JST
fearless
if you are using a web client there's a chance that the server serve you a malicious client to steal your secret key (if they wanted). -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Monday, 12-Jun-2023 03:03:51 JST
Alex Gleason
@dragnucs There's no concept of private posts in Nostr, just DMs. -
Embed this notice
التنينوكس (dragnucs@social.touha.me)'s status on Monday, 12-Jun-2023 03:03:56 JST
التنينوكس
@alex so this is just for DMs. Public messages are not encrypted I guess. What about unlisted of private posts?
-
Embed this notice
Rusty Crab (rustycrab@clubcyberia.co)'s status on Monday, 12-Jun-2023 03:08:19 JST
Rusty Crab
@alex @dragnucs also the current userbase of nostr is VERY VERY BAD AND OBNOXIOUS so the transition over there will be quite hard -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Monday, 12-Jun-2023 03:08:19 JST
Alex Gleason
@RustyCrab @dragnucs People on fedi seem to be more interested in having real conversations, which I love. But I'm also growing pessimistic of the extremist ideologues. Your shitposts are not life or death, random fedi users' opinions aren't going to trans your children, etc. -
Embed this notice
Rusty Crab (rustycrab@clubcyberia.co)'s status on Monday, 12-Jun-2023 03:08:20 JST
Rusty Crab
@alex @dragnucs I tend to agree. It seems like everything is built on a bad foundation and people have just been trying to build mansions on it. The only thing that makes fedi good is the userbase. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Monday, 12-Jun-2023 03:09:48 JST
Alex Gleason
@fearless @dragnucs If you use a Nostr extension, you can open basically any website that supports Nostr and already be logged into it. I think that's pretty powerful. -
Embed this notice
fearless (fearless@bassam.social)'s status on Monday, 12-Jun-2023 03:09:49 JST
fearless
I'm against the excessive use of browser extensions. Just use a native client. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Monday, 12-Jun-2023 03:14:42 JST
Alex Gleason
@Nobody It's been done already, "Delegated Event Signing". It has poor support from relays and clients. Nostr Connect is a lot simpler. -
Embed this notice
Nobody (nobody@social.freetalklive.com)'s status on Monday, 12-Jun-2023 03:14:43 JST 
Nobody
A better plan: allow limited grants of authority to be assigned to a server with a different key. It does not sign as you, but it is authorized to act on your behalf in a limited way.
Probably by your signing their key, like the PGP web of trust.
-
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Monday, 12-Jun-2023 03:27:55 JST
Alex Gleason
@RustyCrab @dragnucs The thing I want the most from social media is humor. The goal is to be as funny as possible. It's very jarring when I post something I think is funny and our resident basement dwellers get extremely offended by it. They're exactly the same as the people they hate. -
Embed this notice
Rusty Crab (rustycrab@clubcyberia.co)'s status on Monday, 12-Jun-2023 03:27:56 JST
Rusty Crab
@alex @dragnucs you also have sillyposters though which have nearly stopped existing anywhere else -
Embed this notice
loathsome (loathsome@petrolkorps.cc)'s status on Monday, 12-Jun-2023 03:28:12 JST
loathsome
Some people come for the hellthreads and pointless yelling at other random people. Not me. But some people. Alex Gleason likes this. -
Embed this notice
Rusty Crab (rustycrab@clubcyberia.co)'s status on Monday, 12-Jun-2023 03:31:13 JST
Rusty Crab
@alex @dragnucs there's no such thing as a fun ideologue Alex Gleason likes this. -
Embed this notice
Semisol (52b4a076bcbbbdc3a1aefa3735816cf74993b1b8db202b01c883c58be7fad8bd@mostr.pub)'s status on Wednesday, 14-Jun-2023 22:22:38 JST 
Semisol
External proofs for migration.
If both your NIP-05, your GitHub, your website and whatever else say your new npub is this, it is most likely you.Alex Gleason likes this. -
Embed this notice
bot (ba2883fb4a7f62cb851b9f5411659791cffb2e3fc8b90f683ee5091f413880a1@mostr.pub)'s status on Wednesday, 14-Jun-2023 22:22:39 JST 
bot
Oh right lol. But if you can only migrate an nsec once, then you’d know that the new key is safe. I don’t know how that would work tho. -
Embed this notice
bot (ba2883fb4a7f62cb851b9f5411659791cffb2e3fc8b90f683ee5091f413880a1@mostr.pub)'s status on Wednesday, 14-Jun-2023 22:22:40 JST
bot
There should be some way to move accounts (follows, followers, etc) to a new key like on fedi. I worry that some client may have stolen my nsec, though I know about those extensions that protect it too. -
Embed this notice
Earl Turner (46da9d8ac399a2ec9b2fbbf8bfb51544f2d8cee9052b735dde66c91d3f56ab9f@mostr.pub)'s status on Wednesday, 14-Jun-2023 22:22:40 JST
Earl Turner
Problem is if someone steals your nsec they could also migrate your account.
-
Embed this notice
All GNU social JP content and data are available under the