Oddbean new post about | logout
 I don't have anything else to do at the moment and I wish for people to hold everyone to the same standards. 
 The pitchforks are already out. What other clients are doing this? 
 Plenty of clients don't support all features of Nostr. Did you know that Damus doesn't support GiftWrapped messages, Communities, and plenty of other NIPs!? Damus doesn't support exporting your NSEC though. 
 Can you sign into Damus with a nsec from another client? 
 Yes 
 Yes. They never lock down your account. 
 Yep. You can. People do it every day! 
 Damus absolutely does. 
 Does** typo 
 I kinda assumed freedom to change clients was already the standard. 
 It generally has been. I remember saying back in January that some day we could see Twitter add Nostr support. They'd generate an npub for every user and they'd just be using Nostr and not even know it. They'd custody keys and manage them on the backend. We're actually seeing that scenario now. My bad for putting that out into the ether, I guess. 🤣🤣 But seriously, of Nostr and open and people can do what they want, them a client treating exporting their nsec as a feature should be okay too. Not all clients will be exactly the same. Not all clients will be for everyone. 
 What you’re describing is more like mostr.pub where fediverse users are writing events with nsecs tied to their Mastodon accounts. I don’t know much about how that works though, but I’m pretty sure @Alex Gleason isn’t sitting on a pile of nsecs. 
 I highly doubt he's personally messaging everyone on Mastodon and providing them with their NSEC 🤣 
 No, they can’t login using it either but I think nobody has the nsec as it’s probably generated cryptographically and never stored anywhere. Someone correct me if I’m wrong please. 
 @npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 
 Twitter could and I hope does exactly this. Then I will charge Elon 10 BTC for the idea and send it all to Nostr devs. 
 Twitter would probably not do this because then it would have to support an open standard where they can’t police the content. 
 Oh they absolutely could. They could run their own relay and indexing service and control all content which goes in and out. It wouldn't be a vanilla experience, but it's how they would probably integrate Nostr. 
 But if an X user’s note ends up stored on a relay that doesn’t support delete, it’s stuck out there in the wild. 
 That's something they'll have to come to terms with and give users a choice to opt-in. I assume it will a check box. "Participate in Nostr: your Tweets will be sent to Nostr. Please note that doing so, your Tweets on Nostr may not be able to be deleted from all Nostr servers." 
 I don’t see it happening under the current regime. 
 Nsecs are generated by combining the ActivityPub ID with a secret key and then hashing it. It's technically custodial keys I guess, but they're not stored in a database, just computed at runtime and cached for the duration of the session. 
 interesting. theorically can anyone hack this keys and start messing around on nostr (for mastodon users) 
 ?* 
 They would need the secret key that only the bridge has, but yes. If someone broke into the server they could impersonate ActivityPub users. That's no different from any site though. Except that Nostr would make it hard or impossible to recover from a breach like that since compromising a key is permanent. 
 🤔 
 ok in reverse. if i have a my nsec on nostr and the bridge emulates an account on mastodon, my nsec on nostr side is always secure right? 
 technically the likelihood of a mastodon person to talk / interact / get data from a nostr person is lesser than than the other way round so as long as my nsec is secure i am fine. i practice safe nsec. hehe 
 Your nsec wouldn’t be compromised. The only risk is to the corresponding ActivityPub ID on the other end. 
 i wonder if we could run a personalized version of mostr bridge? but then i guess, that is what ditto is all about anyway 
 What attack vectors are there where this could happen and how secure is the mostr.pub server? The fact that it’s centralized like this is fairly concerning, ngl. 
 i think all of this concern are probably the reason why alex comes out with ditto, right? 
 yes, if you guess the secret, which may be a different salt for each user for more fun 
 Thanks @Alex Gleason, I guess I understood it correctly! What is the risk of a key becoming compromised? 
 sup dat wat do copa dat dude dat poom boo muh fuggin wad da dood tomad do watta do muhhfugga bix nood wuttbba bubba mo do doaad bix wubba da do did bix nood coppa dat muthafucka wabba dat dude muthfucking cop ho ass muthafucka coppa dat homo nigger wahat dat dude muthafucka bix nood coppa that ho that dude that muthafucking hoe ass nigga mutha fucka wabba dat dood mutha fucka dat nigga bix nood po muh gib dat tum muha fuggin bix nood cosbon :okiedoki: 
 Why would they? What on earth is in it for Twitter to add Nostr? What does it offer that their closed platform does not? Surely Twitter already has more than 300 Bitcoin bros arguing about nsec custody already? 
 It's a feature to them. They said they're going to add it or did you not see @theoriginalbhd mention this numerous times? 
 Have you told Vitor and Holdbod your highly interesting take on them? 
 I am going to send you a bunch of GiftWrapped DMs. 
 So you're okay for one client to do this, but not okay for another client to do it? Yikes. 
 Nostr key custody should be a test bed for bitcoin key management. 

Anything unique outside of “we just hold the keys”? What’s the trade off gained technically? 
 Nostr key custody should be a test bed for bitcoin key management. 

Anything unique outside of “we just hold the keys”? What’s the trade off gained technically? 
 Oh I understand it. I just like pushing your buttons.

Remember when you said that clients could post for you if they managed your keys...

How is that different here? Alex could fake a post and we'd never know unless we went and looked on Mastodon to confirm it. That's a lot of work that 99% of people aren't going to do, because we're trying Alex.

Your move. 
 How many clients do this now?