Oddbean

Top o the morning nostrovians 🥳⛅️ This will be my last post from this specific npub At this point, I am sure that a Minimum of 3 different actors have access to my nsec through exploits of my systems. So you’ll just have to trust my voice/pen right now. A bit of a wild ride but I’ll try to explain… The day Brazil banned X, I came to nostr. My favorite AI engineer content builds from Brazil. My legacy socials have been shadow banned for years (roughly 2021). I’ve largely stepped away from the online world… but recently revived some socials to help friends out with their content. They are athletes, not computer whizzes. We mostly live in the dirt. Off grid as possible. Motorcycle racing is a difficult industry and it’s costly… so when I arrived at nostr I immediately fell back in love with IoV. I used to contribute daily to projects like nostr. In fact, we used to have something like zaps on another platform but it got banned due to the regulatory crackdown of us in 2020. We were suddenly a “bank” and that was confusing when it came to KYC on centralized platforms. Weitse Wind is an incredible mouthpiece for kindness in this space and he waded us through an absolute mess. I’ve had great mentors. I owe them a lot. Whenever I build a platform, I imagine it as a service to others bc I genuinely try to live by a service to others mindset. Hence open source projects So, I follow a prototype to scale model… this npub is an outlier. I started nostr from a computer but as I looked at the source I got scared for onboarding my friends and family. We’re still trying to digest 2FA in that world. So I created a proof-of-concept… I didn’t realize it would scale this quickly. I onboarded as though I know nothing about encryption. so I used my real face and a lot of other really real details. Also, some not real because I knew I was in a pit of vipers. We all are, on the internet, always. I literally pasted my keys to a word doc… I built this as sloppy as I know my loved ones would. And then I downloaded the apps to my phone. And along the way tried to explain what was happening… I didn’t touch any code and I only changed a relay once, but I’m pretty sure at one point my real human IP was banned. And here we are… multiple people have control of my account. You all have no way of knowing which signed events are actually a match to my face. You’ve witnessed both the burning of my books and a witch hunt in real time. And all of this data is stamped in history as though it is me. At the “block” level. Proof-of-concepts are helpful because they give us visuals and immersive experience. Measure twice, cut once. My next profile will be me in full authenticity, but those keys will be secured with biometrics. Thank you for coming my extremely confused TedxTalk and namaste. 🙏🏼

Best to not fall in love with any one pubkey specially starting off on Nostr. Not just that but you could have multiple so you can zap yourself when no one does it 🤣 Follow me on your next pubkey 🫂

The craziest thing about being in the decentralized community the past 13 years... no matter how many accounts I spin, delete, etc... Truly sovereign individuals always find each other. They have a segment about this in Quantum Physics... I think it's referred to as, entanglement.

Stu!! I would not leave you here in nostrovia... I have a lil more cajones than that <3 If I can figure out how to sunset my key, I may keep this account so I can help out people, like Robin... but they need to know it's me and not a malicious entity. Unfortunately, a large body of nostrville has acquired the mind virus. They value things that have a dollar sign attached to it, but forget that there's a fundamental value system, underground, backing that symbol. Some of us remember... and, sometimes, when things get too out of hand, we have to come out of the shadows to remind people why the shadows exist. I have always chosen the middle road, but the middle has started to accept subpar standards for entry. Bitcoin is a tool for the people, not for the state and, certainly, not a tool for industries to siphon and traffick out more creative labor from divine beings. Some people here are the state. always have been, always will be. Next, we will watch their circus play with CBDCs.

Thanks for sharing. Your key might not be compromised, unless you have noticed that someone controls your account or key and are impersonating you, you could be OK. There is a technical solution to this called key rotation. I have had to do it once due to a cruel person in the nostr community that stole my key when I was helping someone. But we can solve the problem so that you can sunset one key and move to another, with limited disruption. We've been able to do this technically for a number of years, the harder part is to get folks to agree on a good way. In any case, if you start a new key, you can put some text in your profile to show others, which is what I did. This will be solved technically one day, but there's multiple competitng ideas on how to do it, right now.

I love that idea Melvin! Thank you for sharing. I don't want to leave my only public facing profile as I've found quite the family here. I am going to explore this more. Ideally, I keep this one and people can remain confident, moving forward, that it is only my pen/voice/keystroke signing events. But, as many have noted, makes sense to spin up new npubs too as I navigate new security methods. So much has changed in 4 years... I'm relearning/ unlocking a lot of blocked out memories right now. so it's a bit of a struggle to reorient. It hurts my heart that someone was cruel to you here... you've helped my journey immensely.

if you have any general advice on going through the process of creating a secure nsec (without sharing any info that could be used to exploit you) i’d very much appreciate it. i’m new to nostr and my fears are precisely what you’re expressing is currently happening to you. doubt i’ll remain with this npub for long.

Those fears are valid! The beauty of nostr is that we now have these channels to share information just like that through social networking. I think all of nostrville could benefit from that content. I certainly will do my best to help others along the way 🫱🏼‍🫲🏽 and welcome… I think you’ll find this is a pleasant place to be

i look forward to that. i appreciate the approach you’ve taken of diving in blind as that’s the onboarding experience any non nostr dev will have. i’m on a similar track myself. i believe an intuitive onboarding process that imbues users with confidence in the security of their online identity is the biggest barrier to entry and possibly will be what takes nostr to the mainstream.

@gel I would be very sad to see you go 😔. I guess Melvin already mentioned a possible long-term solution. Let's try to do some process of elimination and some house keeping. If you already know this then ignore me. 🫂 1.) Have you figured out whether your nsec has been stolen? If yes, what made you believe so? Eg, have you seen any post that are not yours perhaps? 2.) a.) If not, perhaps it is impersonation. Therefore, we need to create a web of trust for you. Perhaps a secret word that only you and your connection would know. However, this would require you to have a different method of sharing this secure word or phrase exclusive to your trusted friends here. This maybe a tricky one but it is possible. b.) Use a keystore like nsec.app or amber for android clients (I forgot the name for iOs) to login to nostr clients. This keeps your key secure. Think of it like a second auth. When you login to nsec.app or any keystore, it will ask you to store your nsec there. You need to have a master key of that keystore so every time you login to any nostr client, you will use a random link to login and you have to approve the connection — which client you want to approve. It is important to renew cachr and avoid re-using permission cache. I'd suggest to refresh it when using the web. To keep it safe from cache session hijacking (have not tested this theory yet). This is to make sure you are only allowing the client you granted permission to access specific client. You can customise what each client can do and cannot do. 3.) Use VPN and Password manager. On top of the keystore, it is best practice to always encrypt your traffic on transit (VPN). Password manager is putting all your keys and passwords, secret phrase encrypted online and offline. There are so many trusted vendor out there. I used Nordvpn for 7 years now. 4.) Encrypt your mobile phone and laptop. If you need to jump on hivetalk to help you with this, let me know! 👌 Keep us posted! ☺️