1 fucking Bitcoin, are you mad? 

 I have big plans for my nsec. :)  

 I'll say! 

 Big plans  

 How about we start at 0.01 

 Interesting incentives to think through. 

I would have a hard time knowing if my nsec leaked unless someone straight up started posting/signing notes that gained attention from others.

I’d also worry about the common practice of locking up Bitcoin with a nsec because it could provide bad incentives for Nostr client developers. 

 Think of it as an exploit bounty 

 It can also serve as proof of human. How many bots will back their accounts with bitcoin? 

 As many as the developer wants. It is not like bots exists without their inventers. 🙂 

 As many as the developer can afford. There's a difference. You could argue that you just move funds from one bot to another when it becomes widely known and blocked as a bot, but then we have time. The longer the funds have lived at the pk, the more you trust it is a real nym and not an attempt to game accounts.

It's similar to what joinmarket uses for Sybil resistance.

A JayZ with 1Btc for 1 year is more reliable than one with 1 BTC for 1 week. 

 1BTC is way too much. 500USD is enough. 
I didn't know we could lock in BTC to our nsec. 
Wouldn't it be cool if everyone had to lock in a small amount of BTC in order to transact with each other? That would cut down on spam. 

I also had no idea that our nsec could be leaked. 
This sounds terrible. Now I'm worried.  

 How do you lock USD to your key. I thought you could only do that with Bitcoin. 

 I didn't mean actual USD. I meant Bitcoin but I converted the price into USD so everyone could better understand the value of it since BTC goes up and down. 
Until Bitcoin becomes the world's reserve currency I will continue and prefer to state the value in USD so it's easier to understand.  

 Do you then continuously adjust the amount of Bitcoin locked to your key so that it keeps being valued at USD? 

 valued at USD500 that is 

 You bring up a good point. I didn't quite think about that. You wouldn't necessarily re-adjust the amount. You would just leave it in there.
If eventually it was worth too much you would have to re-adjust or if you really needed the money take it out completely.

The point of the locked in money is more to stop spammers then to take it out. So just enough that to stop spammers but no enough to break keep you poor.

I guess now that I'm thinking about it. It might be better if everyone agrees on a set price in Satoshi instead of USD. 

Just an idea to stop spammers because as Nostr gets more popular we will seem the bot farms and spammers attack us.  

 👀 

 How would you go about doing this?? 

 I guess you didn't see my sendNsecToGreenart function in my pull request 

 doesn't add anything. The thief can post something outrageous with your nsec and 2s later can steal the money. 

 Yeah, but when the attacker steals it, I will be notified and can take action. 

 which action? 

 Tell your friends and family they can't trust the key anymore  

 Just publish the nsec for everyone to see. There's no more effective way of repudiation. 

 But what about my private messages 

 I don't know what private messaging you use but if it doesn't offer PFS you're screwed. 

 I use this https://github.com/nostr-protocol/nips/blob/master/04.md is it not private and secure?????? What does PFS do????? I 

 Mebbe it's one of these https://acronyms.thefreedictionary.com/PFS 

 Luck favors the bold. 

 I guess we have to invite John Cantrell to nostr and make him do some magic 😂

https://medium.com/@johncantrell97/how-i-checked-over-1-trillion-mnemonics-in-30-hours-to-win-a-bitcoin-635fe051a752 

 I got 24 words for him that hold a full coin...😅 

 it would make sense that nostr clients start watching the taproot addresses associated with users' respective NSECS, it has potential for interesting social use cases 

 How do you do something like that?? 🤔 

 The bitcoin pubkey and nostr pubkeys are similar. All nostr users have a native bitcoin address.  

 Wow .. can any Bitcoin wallet hold against my nostr npub ?  

 Or a more appropriate question is - can I nostr with my btc keys ? .. if so , then every btc wallet already has a nostr account ..

This is a big deal -  which means nostr has  millions of dormant users who just need to be activated .. they just need to claim their accounts ..  

 You could do that with your nutsack  

 Oh nice! Imagine making a fake token that when the attacker tries to steal it, the mint notifies me. 😱

We can have traps everywhere. 

 This is a brilliant idea. Honeypots ftw! 

 Wow! 

 You could ask the mint to flag one of your proof secrets. If it gets redeemed, it could send a notification. Honestly, I find this a bit scary - pixie dust tokens - and it has got me thinking that anyone should be able to re-blind a proof before they redeem it./cc @calle 👁️⚡👁️ 

 I’d characterize this as an attack where a mint and a user can collude to entrap another user. In brief, a user can flag to the mint one of their secrets, and when this secret gets swapped or redeemed, a notification occurs. To mitigate this, the receiver of token(secret) should be able to re-blind. I think this should be pretty straightforward operation. Right now we can take the signature:  _C transform to C. Any receiver of a token should be able to transform to C_ with an entirely new secret before presenting for redemption. 

 What an amazing idea. I am sure there is a way to make this work without disclosing your information to the mint prior to the attacker unblinding the token. 

 As long as you use a reputable mint and not just your own fake one... 

 😂 

 Could do that with your NIP-60 nutsack

nostr:nevent1qqstad8stq2phk0fn35ek9wjpjs8tdel8q455gs5py8g2kwcxvkdj5gpz4mhxue69uhkummnw3ezummcw3ezuer9wchsygzxpsj7dqha57pjk5k37gkn6g4nzakewtmqmnwryyhd3jfwlpgxtspsgqqqqqqsrg7eqc 

 I'm new and a bit of a security geek, can you explain how the private key can be leaked? 

 Desktop keyloggers are the easiest way. Just monitor for the clipboard and if people copy their keys into memory to insert into an extension or a native app, send it to the attacker. 

 In your post, you said “unless you monitor your posts very closely”… is there a daily use from an app like Primal where this leak can occur? Or is this an attack vector risk from outside nostr? 

 My guess is that if you link to an untrustworthy Nostr app/PWA, that could be a problem as well. It's why I wish browser extensions like Flamingo would add PIN locks to them. In theory, any site could access your private key because the extension isn't locked. 

 Good call. I’ll have to avoid just hooking into any and all app on a whim. So, no nsec promiscuity. Got it. 

 Gotcha, but that can also happen with any social media. I guess the immutability of the private key and lack of 2FA is particularly a problem in that case though. 

 Seems odd. Should I make a service that sends an alert email when a public key posts something ? 

 Isn’t the biggest concern here that Nostr is such a high maintenance, potential security risk? As a new Nostr user, should this concern me? 

 The thing is that it's decentralized. So there's not supposed to be any single point of failure where a hacker can hack all users at once, like when they steal facebook data an billions of users are affected at the same time. 

 Yes, we like decentralized, but also want security in everyday use. The question caused by this is: What is the close monitoring of posts needed to not broadcast your private key inadvertently? 

 not so much no  

 100k sats. Enough that one would want and not enough to necc over 

 Does it have to be that crazy of an amount... Please consider a smaller number 🤣  

 If your nsec leaks, what can be done about it? 

 Nothing. You lost everything. None of your posts can be trusted because you won't know which ones were made by you or by the attacker, since the attacker can make 1000s of posts in the past and future as you.

Just create a new one.  

 Timestamps fix this problem. Posts proven to be well before the coins were taken can be reasonably assumed to be valid.  

 We could just have a bot time-stamping every post. 

 Great idea! Best used in conjunction with timestamps to prove notes were written well prior to the coins being taken.

Amethyst supports OpenTimestamps. Although every time I timestamp a note amethyst seems to get stuck in a crash at startup state...

nostr:nevent1qqstad8stq2phk0fn35ek9wjpjs8tdel8q455gs5py8g2kwcxvkdj5gpzpmhxue69uhkummnw3ezumt0d5hsygzxpsj7dqha57pjk5k37gkn6g4nzakewtmqmnwryyhd3jfwlpgxtspsgqqqqqqsugwkh0 

 There used to be a project that wanted to watermark bitcoin keys into movie files. if somebody takes the bitcoin the copy right owner knows that this particular users has leaked/shared the movie file.  

  nostr:nprofile1qqsyh28gd5ke0ztdeyehc0jsq6gcj0tnzatjlkql3dqamkja38fjmeqp3hucz 
Mais BTC grátis 

 1btc may be excessive 

 You that sure your key isn't compromised already? 

 Not at all. 

 Why not 10M SATS ?

Still a lot of money

 

 Yea I posted about this a while ago… I even think this is nostr’s biggest design flaw and I don’t like how there’s no clear mechanism to prevent this AFAIK

nostr:nevent1qqsrmy785nat5hznhmg5em0049k3ckhrmnvsh2ppgfup4qmywf8n2egprpmhxue69uhhyetvv9ujuumwdae8gtnnda3kjctvqyg8wumn8ghj7mn0wd68ytnhd9hx2qgdwaehxw309ahx7uewd3hkcqg4waehxw309ajkgetw9ehx7um5wghxcctwvsg37def 

 That's why you have browser extensions though  

 How does that help? Providing sensitive information to another party is always insecure. Adding another party as an additional set of eyes isn't improving anything. 

 Having a dedicated app that only handles key management, is ofcourse more secure the putting your nsec key in random websites. 

 Do you have an example? How does the client (e.g. snort) then get the key from said "secure dedicated app"? Snort needs that secret in plain on its own. 

 A browser extension app, there are many such apps around, I use the Blockcore wallet it has support for Nostr keys but you'll find several around.
The issue is it won't work on mobiles. 

 This probably would only work if your reputation is worth less than a bitcoin. 

High profile npubs with lots of influence would have to lock larger amounts, but it's difficult to determine how much. 

 Don't think that there's any account on nostr worth >1 BTC :-) Actually, there isn't any business model.  😃  

 What an interesting idea, it will also encourage more responsible handling of your Nostr key (use only well known clients)
And it can be easily verified by anyone.
 

 how do you recommend businesses to provide access to the brand account for all their team members? 

 Amber running on the Android phone of the person authorized to sign for the team and using NIP-46 bunkers to connect each user to request signatures to that phone. 

 is this not available on regular play store? 

 I don't know. I use mostly Obtainium to install apps these days.  

 is this NIP-46 similar to NWC (Nostr Wallet Connect)? 

 Yep, but for signing devices instead of wallets.  

 what is the difference between a wallet and a signing-device? 

 I would be more upset losing that 100m sats than control of my nsec for the time being.. But interesting concept! 

 I’m thinking of tying a string to my nutsack to know if someone opens my bedroom door while I’m sleeping. 

 Vitor will lock 1 Bitcoin on his Nsec; you are not bullish on nostr enough. 
nostr:nevent1qqstad8stq2phk0fn35ek9wjpjs8tdel8q455gs5py8g2kwcxvkdj5gpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsygzxpsj7dqha57pjk5k37gkn6g4nzakewtmqmnwryyhd3jfwlpgxtspsgqqqqqqskdvel7