I'm not interested in feelings or theory. I'm interested in reality and security. Having a culture that encourages giving a private key to whatever asks for it is awful security and will have terrible consequences if Nostr catches on and gets used more broadly. My issue isn't with the ability to connect different apps, but with the current model of just giving a private key to apps. I don't take any of it seriously right now and won't until there is a more secure model by default. The encouraged model should be to keep private keys offline if one's entire identity is to be connected to a single key. That's not what I see currently, but work is being done.
So are you working to do any of this? Or just telling us how to do it? I hear lots of security experts who love to tell me how to do things but most don’t either talk to actual users or build systems for other people to use. It’s like all the security experts getting pissed at Signal for using phone numbers but nobody built a version that really worked without phone numbers even though it’s open source and they kept saying it’s really important. Or how security folks tell users to not reuse passwords but it was a couple decades before people admitted that was an insane impossibility and switched to passkeys that come with managed software. We created oauth to solve this same basic problem. Keep users from putting user names and passwords in random apps. The effect of platforms switching to using oauth meant that all power got concentrated in centralized platforms. I’m sick of security researchers who tell us how software should work. Think we’re doing it wrong, build a better solution.
I'm not telling you how to do anything. It sounds like you have some baggage that you're taking out on me. In fact, you're the one who even replied to me. I'm simply sharing thoughts that were spurred by a note that wasn't even posted by you. If you're sick of hearing other people's opinions then don't respond to them with your own. You don't get to respond to someone's opinion and then expect to be shielded from a counter. I am more than happy to discuss this topic with those who disagree with me, but you don't get to tell me that I can't have an opinion without meeting your arbitrary barriers. The work I put into Nostr may not be exactly like yours, but that doesn't mean you somehow have more of a right to an opinion than I do. You're also using things that you didn't build. You seem to think that the world would be a better place if everyone who isn't writing code just shut up and never shared thoughts on the matter. Using your Signal example, they have made the software better and other solutions have improved as well. You don't have to care what others think, but you don't live in a vacuum where your work is the only thing that matters. I appreciate your efforts, but you're the one choosing to take this personally. There is a desire shared by many people to put everything and everyone onto Nostr with no regard for the consequences that may have. I think people who research issues like security and share opinions are just as important as those who build software. The goal shouldn't be perfection, but it shouldn't be stagnation and self-insulation from criticism either. My only point is that adoption should not be accelerated at the expense of all else. I just want to minimize risk to those who use software. If you wish to condemn me for that, then so be it.
Hey @Matt Warren yeah that came out more frustration with you than i intended. Sorry. To be fair putting nsec in apps which don’t store them securely is a terrible idea. It’s just we need to remember that an nsec isn’t as precious as a wallet key with money. And that we were able to show the power of nostr and get folks excited when we showed them how to put their nsec in multiple apps they can use at the same time.
But to answer your question, yes, I put in a lot of time and work researching and educating others on information security to the best of my ability. Sometimes, that involves sharing my opinions on dangerous trends I see. I'm sorry that you don't value my work and effort, but that doesn't mean it has less value than yours. In this case, my efforts could make some people think twice about the consequences that come with what is marketed (rightly) as freedom. It could just be the case that some people decide to use a different nsec for each application to reduce their own risk, even at the expense of seamless data integration. Freedom to do a thing doesn't mean it's the best thing to do for everyone, nor does it mean that everyone should be encouraged to do it. Again, thank you for what YOU do, but I'm not going to stop doing what I care about just because you're sick of it. That's on you.
Just use a signer. 🤷♀️
None of the most popular applications I've used make it clear that using a signer is even possible. They all just asked me to paste my nsec. I know not everyone values this as a skill, but it is possible to consider people who aren't as knowledgeable as you are about a given topic and the consequences they may face from doing a particular thing. I know I can use a signer. My problem is that the dominant culture currently is to just paste an nsec as if there is no risk to doing so. I have an issue with that and share my opinion, just as you do on things you care about. My issue isn't with nsecs, only with how we are failing to make it explicitly clear to newcomers how dangerous they can be if handed out to anyone who asks for it. My goal is to persuade others to think with security in mind sooner rather than later. Also, I have most of the major signers that average people are likely to buy (for my own research and education) and none of them are Nostr focused yet (or at least don't make it clear if they are). Hence why I'm so concerned about encouraging everyone to use the benefit of one nsec for so many apps and services. The already technically knowledgeable are the only types likely to use something like a hardware signer or bunker with Nostr at this point. I want to influence people to consider the consequences of that. Fuck me I guess lol
Huh, I use nos2x and Amber. And the apps I use regularly always offer them as a login option. Some apps don't even have the option to enter nsec. You must be using Primal Android. They're still like that, for reasons I don't understand.