Oddbean new post about | logout
 At a current stage nostr feels like a toy project 
 It is a toy project. It has always been. No Nostr app is anywhere near what I would call a stable version.  
 But what’s so special about this note? Why doesn’t it render anywhere?

Is it a relay issue or something else? 

It renders on coracle. 
 It has a relay hint that we are not tracking yet because connecting to random relays allows people to track you.  
 Ah good to know. 

When you say track you, you mean me being forced to connect to a relay I don’t want? And possibly malicious? 
 This is why this needs to be explained more, because this is a massive turn off when trying to use Nostr! 


I'm gonna say this for the last time. Make this easier. 

nostr:nevent1qqsgyk9lre4uzn0avhs3t2nqr2psy96zfrcsxtjt97680zeup7r4gaspr4mhxue69uhkummnw3ezucnfw33k76twv4ezuum0vd5kzmp0qgsfev65tsmfgrv69mux65x4c7504wgrzrxgnrzrgj70cnyz9l68hjsrqsqqqqqp9j8ltz 
 Just as devs are public and have a sort of  reputation for their work, maybe relay operators should have a similar presence. 
 The relay is not in your list, so the app won't connect to it. We are making a new permission screen to allow you to connect by clicking a button, but it's not ready yet. :(

But yes, attackers can use relay hits to monitor the IPs of victims they want to track. If they know IP, they can get a rough location. If they can track over time, rough locations become more precise identifiers. It would be an elaborate social attack, but it is possible. 
 know your relay operators just as you get to know your devs. 
 Yep. Relays know everything about you: your interests, the time you spent on each post, your IP/ location, etc.  
 If that's the case then fucking fix it. If I can be tracked from NOSTR I'm out of here. 
 Yeah, the attack vector is much much larger than a centralized social platform. 

Instead of Facebook or Twitter knowing everything about you (which at least they protect). 

Here any rando could figure out a lot of things. 

Guess I should really not use nostr without a vpn. Though now sure how much that helps. 

Though VPNs somehow still leak a lot of information. 
 ya, still seeking solutions(can't code),,,,ffs 
 Centralized platforms knowing but "protecting" your information is a total fallacy they would like you to believe. Selling your information is how they got huge. They anonymize it maybe, but once it's sold it's out of their hands, and it is quickly de-anonymized, attached to a detailed profile, and resold. 
 Servers can always track you. Relays are the same.  That's why we avoid connecting to random relays. You MUST trust the relay operators in your relay list. If you don't trust them, don't use them. Find better ones.  
 But should the easy solution be. 

If I see a note, and I quote it, the client should rebroadcast that not with my quote? Isn’t that just a thousand times simpler?

It doesn’t solve everything, but gets rid of some issues. 
 Thoughts on this @Vitor Pamplona ? 
 We already do that. :) others should do too.  
 Yeah, but clearly the client @fiatjaf is using isn’t. lol now I I’m curious what he’s using? 
 *cough cough* nostr registries *cough cough* @Laeserin *cough* *cough* 

first as an answer to centralized nips repository. Next as an answer to trusted relay operators and developers. Close will be our answer to DNS. Thoughts @Vitor Pamplona?

https://wikifreedia.xyz/nip-event-register/npub1m4ny6hjqzepn4rxknuq94c2gpqzr29ufkkw7ttcxyak7v43n6vvsajc2jl 
 I am on board. We just need to keep moving on the right direction.  
 Can't wait for clients to run on notes. 
 Find better ones how exactly?
Is there a central trust list? 
 thats exactly what we're trying to move away from 
 Gotta do your research. Find each of your relay's operators, read their privacy policies and terms and conditions. You need to know who you are "in business with" and what they are and are not doing with your data. Don't delegate that due diligence to anyone else. 

And always remember, if it's free, you are the product. 
 This is not easy for non tech people.  
 We have to make it easy. Or we are not building anything new.  
 I love that you separated the relays into sections, is it possible to have a drop-down menu I relays that work in each section, that we can choose from and research or have a star system?  
 Yep that would be awesome to have.  
 If you connect to a relay, that relay knows you connected (your IP address) and what questions you asked.  This is EXACTLY like a web browser.  Everytime you go to a website, that website knows you connected (your IP address) and what questions you asked (the URL).

People who insist on hiding their IP address use VPNs or Tor.  This works perfectly well with nostr just like it works for the world wide web.

Trying to avoid connecting to some relays just makes nostr dysfunctional. This problem is outside of nostr, and nostr clients are just making the problem much more complicated than it needs to be by coding connect-based relay access control lists.  Just tell the user to use a VPN or Tor if they are concerned about privacy.

As for AUTH, that makes more sense to me. You shouldn't just AUTH to a random relay. But fetch a note... I don't see what the big deal is. 
 Agree on Tor and on Auth. But we don't have a good/easy solution for Tor yet. Most people just use their regular connections on the go. So, I see as a massive privacy risk.  
 Does reading from a relay and not writing to it offer any changes in privacy? 
 It depends on which filters you send and if you have to auth or not. We just have way too many filters bundled in one subscription to risk. Gotta redesign that part of the code :( 
 This is another * use case for proxy relays like filter.nostr.wine which can implement inbox/outbox without leaking your IP to untrusted relays

* the others being performance and spam filtering

nostr:nevent1qqsxhyj9wprs3ycw753l7rx96newscqpuuhl5d5dckg5ara0u0qdrxgpz9mhxue69uhkummnw3ezuamfdejj7q3qgcxzte5zlkncx26j68ez60fzkvtkm9e0vrwdcvsjakxf9mu9qewqxpqqqqqqz0j2356 
 how does one build trust with a relay? does each relay have an about page that is accessible in a consistent way?

nostr:note1dwfy2uz8pzfsaafrluxvt48japsqree0lgmgm3v3f686lc7q6xvsp2tyf9  
 Literally ANY web service you use has this capacity. The only difference here is that its in the open. Many devs DO in fact advocate for privacy and security. @Ava is 🐏 and gives amazing tips and advice. 

Know your threat model and how to work with it. No one else is going to hold your hand and do it for you. 
 Ava is a nanny cunt bitch and I hate her. 
 I see... well anyway 💁 
 Do you delete your browser history several times a day and use a vpn ? If not, you dont have to worry about little old nostr then lol 
 Every day. 
 no wonder snowden quit lol 
 Snowden knew that from day 1. I don't know if he quit but I can guarantee it wasn't because of this.  
 just kidding, he didnt quit, he just get more attention on x 
 he just stop posting? maybe he is using another nym? 
 he'll be back 
 I thought #nostr only recorded time and the content of posts? You’re saying individual relays can add their own trackers for other metrics if you choose to connect to them? I guess that makes sense, different servers/websites can use different analytics so why not relays. 
 Sure. They receive all requests you ask for from the app. They just need to save it.  
 If this can't be fixed, I suggest myself and all other sex workers get the fuck out of here.

nostr:nevent1qqsdvgzz4zjpxhp7lv432hm964lxw07rmfeszytxnxrfpahm9m8gaygpzamhxue69uhhyetvv9ujumn0wd68ytnzv9hxgtczyprqcf0xst760qet2tglytfay2e3wmvh9asdehpjztkceyh0s5r9cqcyqqqqqqglrnpqc 
 Why ? Are you not paying taxes? What are you scared of ? Why different from regular people? 
 Ever been raped and held hostage by a stalker?
I have..
Yes that makes me different. 
 Maybe sex work is a bad thing then ? Just like being gay makes you get aids. Somthing aint right  
 I'm sorry, you guys are raping women to prove to them that sex work is bad??

Maybe don't attack women, dumbo 
 You fear someone might find you? That makes sense really. Lots of crazy people out there. 

I was more scared about the Bitcoin. But I guess life is important too. 
 As a person almost curb stomped to death, yes it makes me nervous. 
 I hear you. Some People out there would do anything for any reason. 
 If you use an always-on VPN you have nothing to worry about. Personally, exposing my IP feels like being nude in public. 
  ✔️ Official Linea Airdrop is Live. 

 ✔️ https://telegra.ph/linea-05-20-25 Claim $TBA. 
 I believe that this is the ideal time to accumulate more given the present phase. You may sign up for our free VIP email to receive daily updates.
https://t.me/rebelcapitalistshow🚀 🔥 
 No thanks fake Lynn 
 I suggest using carrier pigeons as a social network 
 No different than any other type of internet protocol. Can’t one use a VPN or Tor if they don’t want to leak their IP? 
 I never use the internet without a VPN, so it took me me a second to understand why you'd be worried. I guess I assume everyone is using one, because they should be. 
 Huh, so even if I follow the account, amethyst will not connect to that accounts outboxes?  How will it find anything in that case unless your relays match their outboxes?  Or you're just saying, outbox is not fully operational till you have the extra settings?
 
 Follows yes. We assume if you follow the account, you trust their choice of relay. But we are not there yet. We make to make sure users understand that risk before activating it. 
 Right, so I followed gitlost, and amethyst still couldn't find the note that was quoted.  Anyway, just made me curious. 
 Yep, next step is adding their relays to your list automatically. Or at least getting your permission to connect when they are not there already.  
 Having some kind of built in VPN just for amethyst traffic would be really nice..  I can dream.  Yes I know you can sort of do this with split tunnel but not for ever changing outboxes. 
 Your IP is recorded and tracked at every website that uses google tag manager for example, and thar is almost all websites. Your IP is sold and resold hundreds of times by Google and the hundreds or thousands of data aggregators. They build detailed profiles of everybody, and it's on the market. It's not just nostr, everyone needs a full time VPN and ad blocking, period, as a bare minimum. 
 Yes, but with nostr at least it’s possible to fix and make relays just a dumb servers that relay notes and nothing more than that 
 The fixes have to be client-side and whatever can be done in the protocol because we don't know what malicious software relays run. I am glad to see devs are exposing what the problems are and iterating on potential solutions. Sites that just want your traffic will be quiet about the vulnerabilities, especially when keeping you vulnerable is so profitable. 
 VPN or tor is the only way to obscure your IP on the internet, feel like I'm talking to a wall sometimes.  Is this just beyond most people's understanding?  Relays are already as dumb as they can possibly get. 
 You don’t have to tell me this. I’m with turned on orbot but there are not too many people like me. Vitor did it right by implementing it inside the Amethyst,  that’s what all of the mobile should do as well to make people aware and use it by default or turn off if they struggle with performance 
 Ok your note was very confusing then.. this one makes more sense.  That's right you even ran a relay and use Tor now..  it's just sad when people see a note like this and go 'wtf? Back to centralized then'.  Instead of, oh, how do I VPN? 
 Not relay yet, was lazy this weekend😅 
 This
nostr:nevent1qqsvz36axfvwz8g5cm346qvmklj09ndmzcwkcfjwq8zk2ytejpdn7ucprpmhxue69uhkummnw3ezuendwsh8w6t69e3xj730qgsgqrs0u0vx8r8r7ad9dmvxthuajm7fm8xj7a24phcd0awpmprgkzcrqsqqqqqpppn6y0 
 If people aren't using Tor and aren't using a VPN but they care about this, then I sure hope they never open a web browser.

But giving people the head's up and asking permission is nice. People want to see the note, but they also want to feel in control. 
 But there is a difference between my local diner knowing about me vs anyone who wants to. 
 That's the goal. That security on Desktop is less of an issue, but mobile is crucial. You don't want people to know where you have been all the time.  
 Yes, having used this option in gossip I can tell you @Vitor Pamplona with confidence that absolutely no one will use this option and leave it on to be bombarded by hundereds of questions whenever they open nostr..   
 We made the questions just a number in the lower left.  AND after you answer all the several hundred questsions, they don't keep repeating eventually you catch up with it.  BUT YES your point is very valid.  It is fucking annoying to approve every relay.

But I'm also coming around to the idea that an 'nevent' is kind of like phishing, getting you to go to a relay that is malicious, just like a link in an email trying to send you to a malicous website.  Whitelisting relays is one solution, painful as it is. 
 what about a proxy relay for those connections? a relay relay 
 sounds like drugs/  prohibition etc   crazydays/metadata? 
 It is, and so is media loading.. which no one ever talks about they just harp on relays.  VPNs or relay proxies that you trust are the only solution. And probably image proxies if you're doing the proxy option.  Tho I applaud the efforts in attempting a UI for connections, it has enabled me to see that using nostr means you go to weird servers all the time.  At least nevents don't have JavaScript payloads or anything, it's safer than browsing (I think).  But images, yeah those are likely the most dangerous thing. 
 have you tried keet.io ? p2p imho is the solution 
 Media loading was the straw that cascaded this conversation in January. Malicious user posting people's ip from loading an image sent as a dm. 
 its the internet you have an ip, its well known how to hide it 
 Yeah, but then they quickly cascaded into ranting about relays about 5min later. 
 sequence of events reads very familiar 🤔 
 What can a malicious relay do to you besides spy on your IP? 
 It could ask for AUTH and if your client allows it your client will tell it (and prove) your npub.  Then it knows WHO is at that IP.  This IMHO is a step too far and clients shouldn't AUTH to random relays w/o asking the user.  But gossip lets users turn that off if they don't care. 
 That's also hard, because what "requests" do you allow, and what "requests" do you ask the user? At the end, if every key interaction is asked, it is the safest, but the most annoying. 
 I'm not really sure how malicious a relay could be. 
 How about the note to be rendered show the relay name below an "Allow" and a "Whitelist" button.

I guess generally this is a similar problem as emails and images.

Many email clients just load you YOLO all images received, which is a stupid behavior.  
 #nostr relays should talk between themselves as in a NETWORK so we can connect only to our trusted relay and pay them to protect our privacy 
 Would be interesting if relays had a special REQ type that effectively says “go to this other relay and get me this event”. It’s like rebroadcasting the note without the client actually having the note. If the relay stores the note then it doesn’t even have to retrieve it with other requests. 
 This 👇

nostr:nevent1qqs9r7rhczjl2qcapdhwfeps2m5ucrzrd8jtmzdgxsmacu5fkad9ppqpr4mhxue69uhkummnw3ezucnfw33k76twv4ezuum0vd5kzmp0qgsyvrp9u6p0mfur9dfdru3d853tx9mdjuhkphxuxgfwmryja7zsvhqrqsqqqqqp2pcudc

#cybersecgirl
 
  ✔️ Official Linea Airdrop is Live. 

 ✔️ https://telegra.ph/linea-05-20-25 Claim $TBA. 
 Nostr is a toy project? I thought that was the name of an ostrich 🤔 https://video.nostr.build/21207ffa1e3f1e882b932734507e4b7a8a4dc3872e32c70d37314957a6531dd1.mp4 
 to much dev wasted redoing the same functions while big problems of content replication are not well solved 
 Yeap. The majority people whom I onboarded left just because apps are poor and buggy and people confused. Simplicity and stability will win. 
 client decisions and technical debt are no reflection on the protocol imo.  
 It feels like a startup company producing protoypes for a product line. 
 Except without the startup capital or time 
 Or staff. 😂 
 I started to write that, but then I was like well, I did a thing a few years ago without staff, and we kind of have a "staff" now :)  
 We're also one of the largest and most well-known groups and we have steady income, already, and we haven't released a product, yet.

We're like Project Unicorns. 😂 
 Stfu nanny bitch Ava. 
 How about you go fuck yourself already. Go get laid  stay the fuck away from me.  
 Think we need to work on the ux for "nostr registries" - public documents from an npub you trust showing you the npubs, relays and clients they trust/endorse.

nostr:nevent1qqs024dpmac6axvsjt5glqut9ccya5h3d2092cmnmrzcpucvjmtf74qpr4mhxue69uhkummnw3ezucnfw33k76twv4ezuum0vd5kzmp0qgsdcnxssmxheed3sv4d7n7azggj3xyq6tr799dukrngfsq6emnhcpsrqsqqqqqppdcw2y

nostr:nevent1qqsdc8mjyxjefrlxjatsvt395eqx942j0fam9zdfw8wdgtzatqvfwqgprdmhxue69uhhyetvv9ujumn0wd68yurvv438xtnrdakj7q3qm3xdppkd0njmrqe2ma8a6ys39zvgp5k8u22mev8xsnqp4nh80srqxpqqqqqqz8gea8x
 
 nostr:nevent1qqszxzqq96plhknlcrnwf9f52343xpv3zg8g0hjstmg4j7tk4w20zygprdmhxue69uhhyetvv9ujumn0wd68yurvv438xtnrdakj7q3qm3xdppkd0njmrqe2ma8a6ys39zvgp5k8u22mev8xsnqp4nh80srqxpqqqqqqz6gcfyc