Oddbean new post about | logout
 The "fake accounts" thing is solved by web of trust, no ? 
 It is resolved by NIP5 : https://nips.nostr.com/5 
 Sure but it takes some effort to setup. 
 If we are talking about how 95% of people use it, then not at all.
Many beginner friendly Nostr clients now automatically assigns nip05 address for you. So it kinda failed as a 'verification' mechanism unless you have a well known domain that belongs to you and took the effort to set it up. 
 Oh, sorry, I misread your reply. Yeah. 
 Partially wrong. NIP-5 as used by 99.9% of people doesn't "verify" anything. It is just an handy way to share/search contacts. Only people that own a well known domain can leverage it as attestation of their connection with it. 
 We should stop pairing NIP-5 with the word "verification". For newcomers it risks being a shitcoin game.
Use NIP-5 for its real functions and embrace WoT for actual contacts check.

nostr:nevent1qqsqcjkzhd6zw6mr0n056gtu4zpufp7gvf0m80w0037thcwt8q4mx5cprfmhxue69uhhq7tjv9kkjepwve5kzar2v9nzucm0d5hsygrmmmmmugka3evlgcqwq3922wsul966nhrayl04svauwldhsjjcq5psgqqqqqqsgjxkct 
 Agreed.

PoW keys are a step in the right direction, but even better are what I call PoW endorsements.

https://pippellia.com/pippellia/Social+Graph/Navigating+the+social+graph#PoW+endorsement 
 PoW is a powerful tool, but I don't like mixing money in the verification process, it becomes an upward game where the economically strongest wins. The social graph should be enough, and it's harder to hack. 
 It's difficult to game it tough. An attacker can pay a miner 10$ to get his PoW checkmark, however, unless he's followed or interact with many other real an trusted people, he'll lose that initial weight in algos like Trustrank. 
 Creating an identity on nostr is basically free. So imagine an attacker creates a whole new network of nibs following each other, exactly replicating the structure of the real network of npubs, same structure.

The two graphs are isomorfic, so any graph analysis will yield the same result. Hence, if you don't have a pov (e.g brand new npubs that don't follow anyone) you can't distinguish between the two, hence my focus on PoW for this case. 
 Actually, this could be a problem for brand new npubs starting with zero known contacts, but it seems a quite rare case. I think the normality is to be onboarded at least by a friend, or discovering a new app/platform, where I interacted with legittimate users. I would not overcomplicate things. Btw, IRL connections win. 
 t-y daniele 
 This is the most difficult part. 

A brand new npub doesn't have a wot network from his pov, but that's not a big deal - onboarding client should ask them about their content preferences/hashtags and even if user doesn't choose to follow someone and get his wot seeded, client could use some popular accounts from the topics user has chosen to serve as temporary wot sources.

The bigger problem is that relays can't distinguish a brand new npub from spam. I.e. if someone big tweets about nostr and a wave of new people comes in short time, it's indistinguishable from a spam attack from a botnet. And pow doesn't help much - you'd need something like 100 seconds of mobile cpu to produce pow equivalent to 1 sat - and I bet reply-scammers earn way more than 1 sat per event they post. 

I keep getting back to this issue in my head from time to time, and still can't find a good general solution, only whack-a-mole. Users can be protected from spam by wot, but public relays designed to onboard new users can't. Unless we attach some extra signal to new users (pow? 1 sat? some version of your pow endorsement?) while keeping the friction low.

Any ideas how "pow endorsement" could be practically applied to onboarding users at scale with low friction? 
 PoW endorsements can be computed by specialized miners, because who computes them isn't important.

I am not talking about PoW on every note. PoW endorsements are like PoW keys, but better.

However, that's not necessarily useful for new users. But then the question is, how can someone enter nostr?

Maybe the answer is that they need a invite of some sort to surpass the "reputation threshold".

E.g. the user gets invited by someone and that someone automatically follows them.

Or, the user gets invited into a NIP29 (?) community, and so proof of membership in a reputable community can be used.

 
 cc @nielliesmons I am spreading your idea of communities as entry points. 
 > Maybe the answer is that they need a invite of some sort to surpass the "reputation threshold".

That's the only plausible idea to me too, but it doesn't solve someone hearing "nostr" on twitter and googling it and trying to get onboarded. 
 yep, it doesn't. Maybe, just maybe, that's a feature. U know, invite-only socials have a sense of exclusivity. 
 Unfortunately the applied solution will be "please type these letters from the image" unless we figure something out 
 yeah, but I am not that pessimistic.

It's an order of magnitude better to do chaptas ONLY ONCE and then rely on your acquired reputation, than solving them all the time 
 Captchas don't really solve anything either, they just make spam a bit more costly, but people will resort to them without anything better on the table. 
 because the values are computed from your position on the graph the fact they have weak links to the rest of the network will still diminish their ranks 
 Indeed. The problem arises only when a malicious client exclusively uses it's own malicious relays where the fake social network is totally detached. 
 ofc, but that's why I said "if u don't have a pov", meaning u are a new users that doesn't follow anyone. 
 that is probably a bad place to start, but also pretty uncommon, almost everyone knows someone who says "i'm on nostr" and they first follow them even if there is no onboarding procedure 
 not sure. That's true for our "community" of Bitcoiners, but that might not be true in general. 
 the thing that helps make sure of it is well known clients that have default logged out feeds of legit people

if people are dropping links to fake clients then yeah, but this is a general web phishing problem not anything special about nostr 
 PoW is also not a verification system.
Spammers are more than willing to pay to spam better. They will even buy batches of email addresses, run bots etc…

Spammers pay. "Normal" users, commonly, do not. 
 nothing is a perfect verification system.

However, verifiable cost kills 99% of bots, which might be enough. 
 Why do you think so?
Again, spammers are absolutely willing to pay. It's by paying that they have become so prominent on the web. The fact that the cost is "verifiable" doesn't make much of a difference. 
 Just look at Twitter. I would say 99% of bots haven't the blue check.

It's a matter of economic margin.
There are spamming methods that are economical at 5¢ that aren't at 10$.

And, this PoW stuff that I am talking about, is to be used to help a new user bootstrap his own web of not spam. 
 It's also useful for proving affiliation with a project or community. 
 And it makes for nicer URLs. 
 Actually, you can have more NIP-5. 
 I have 5 of them. 🤷‍♀️

My point is that I switch them out, on purpose, to show affiliation or to help someone market their project.

I low-key wish I could add them all to my profile. 😂 
 Like, have a different one displayed, depending upon which client I used. 🤔 
 agree 
 I am worried that, at this point no one would buy US debt in USD. a major makeup of Treasury might b3 needed if you decide to measure debt in BTC.  
 Yes. NIP-05 is for identification. i.e. this address maps to this public key. “You can find me at this address”. That’s all. Doesn’t have anything to do with anything else. 
 What are NIP-5 real functions? 
 Share a contact, search a contact.
Think of it as a shortcut to a nprofile (npubs + relays hints). 
 Thanks a lot. Need to ask about relay hints. In this context what would that be? 
 Tell people where you write your notes and where you would like to read replies. Aka Outbox (originally called "gossip") model.
https://mikedilger.com/gossip-model/
This is the foundation of Nostr decentralised structure. 
 Spell it out! What's WoT?😇 
 Web of Trust 
 What's the best way to implement WoT? 
 It'a client job, leveraging the social graph and maybe other metrics. Coracle.social was probably the first to introduce the WoT concept, and it has a great implementation. Read a summary here:
https://pippellia.com/pippellia/Social+Graph/Navigating+the+social+graph#Principle+of+least+interference 
 agree 
 As a newcomer I found it confusing. Though maybe the concept of verification could be emulated with a competing set of verifiers that the client chooses to adhere to 🤔 
 I still like the idea of badges for those who have earned them through tasks at live events 

Or badges for people who zap others a lot and participate in the economy 

I think we should look to the boyscouts to see what they do- I’ve never been a part of that cult (😂 /s), but they probably have some good ideas 
 Nice idea, but the problem here is the "value" of the badges. It is necessary bounded to whom create them, they are just a passthrough, so we are falling back to the Web of Trust. 
 If you make them assigned to tasks it’s a protocol 

Like being an only-zaps person makes you cooler idc 

There should be a special only-zaps relay 
 Someone has to sign the badge; the protocol cannot do it alone. So this “someone” gives trust/value to the badge. 
 A certain amount of witnesses could sign? I’m sure enough thought could be given to it for a work around 

How does it work in the Scouts? 
 I think decentralized verification, based on any criteria verifiers decide, should indeed be based on a badge-like mechanism, but it probably should rely on a separate NIP and different event kinds. 
 The whole concept of "verification" is bound to centralized structures, it should be buried. Self-verification is a state of mind. Instead, verifying someone/something else is a matter of active experience and interactions, which minimize the trust factor. Of course technology helps, but also WoT needs to be verified and not blindly trusted. "Proof of work" means taking responsibility for everything we care about, exactly like we do (should do) in real life. 
 There is no way I can fathom doing it without trusted parties, sure. I guess I haven't truly embreced the philosophy already but hypothetically, community bound verifications, though trust reliant could be put in place if desired 
 I understand, it is not easy. The good news is that these trusted parties can be collaborative and self-monitored: peer reviewed algo within peer reviewed platforms. But we must always keep an open eye on our verification attitude. 
 > The whole concept of "verification" is bound to centralized structures, it should be buried.

It doesn't have to be. There can be multiple verifiers and a single pubkey can be verified by many of them. If among the verifiers that verify me there is at least one which is included in your trusted list, your client should show me as verified.
This would be a level of decentralization similar to that of relays (in the inbox model).

The issue with NIP-05, if it were a verification system (it's not), would be that an account can only be "verified" by one "verifier". So an account would have to pick just one and you'd be forced to "trust" any widely used one (if you want to rely on verification at all), leading to centralization. 
 true 
 💯 
nostr:nevent1qqsrpvvhnu5fu8gaudnlnuk7cdp3m5yezl6w88x9t38c3zdhaju52tcprfmhxue69uhhq7tjv9kkjepwve5kzar2v9nzucm0d5hsygrmmmmmugka3evlgcqwq3922wsul966nhrayl04svauwldhsjjcq5psgqqqqqqsv6plrr 
 I agree, NIP-5 has nothing to do with verification.
I think a (decentralized) verification system on Nostr is possible, but it would have nothing whatsoever to do with NIP-5. 
 Indeed, NIP-05 isn't meant at all as a verification system.

nostr:naddr1qvzqqqr4gupzq5455pmtewaacws6a73hxkqkea6fjwcm3keq9vqu3q7930nl4k9aqy88wumn8ghj7mn0wvhxcmmv9uqpymnfwqcr2ttfwvkkumm594mx2unfvcyv4z98 
 badges 😂, few know how to make badges  
 My bet is that 99.9% of the world is onboarded via some already active Nostr user OR using a well known client, that so takes the responsability for not exposing only one totally fake network. 
 i'd agree, but go further and say less than 1/1000 users are not going to jump in with at least one legit person to start off with, probably more like 1/10000

and so long as the clients default to networks composed of mostly real people

fake networks and fake relays are in the same category as scams in general, and probably the subject matter of such fake networks would be pump and dump and other kinds of scammy shitcoinery 
 First paragraph is wide of the mark - I didn't know any of you freaks before I spun up my npub :)

And a lot of people I talk to under #introductions be the same.  Sample on convenience etc etc, YMMV, but I'm pretty sure we "walk-ins" are a majority of new npubs.

The rest of your post I agree with. 
 Accurate. I knew no one, only of people talking about it. Everyone I've helped get set up, that I've taken the time to ask, has either watched a video or read an article that piqued their interest.  
 yeah but you found gigi or jeff booth or lyn or something, or someone anyone dropping their npub, i mean, it's pretty unlikely that you even go to nostr without one person in your mind to follow here, in my opinion

most people talk about the people, and the protocol, not the client apps 
 I'm just saying that some people are so ubiquitously known that knowing of them & searching them out doesn't provide much proof of anything about the person searching & following. 

I'm probably misunderstanding something somewhere... I should just stay in my lane 😅 
 well it would be a red flag to spot an influencoor on nostr from X and they only show 5000 followers while they have a million on twitter 
 Eventually, yes. Once they establish themselves. That number is also incredibly unstable though so is it really reliable? 
 well, we can't bring all the stray lambs back from the brush but i think in the next 6 months a lot of tools will exist that will improve this... i for one am looking forward to the map of Nostr 
 Yeah, I'm of the mindset that follower counts should fade away & get replaced with other signal metrics while it's still early enough that it causes minimal pain. 
 i came here from xitter, i followed in people who i knew from there who were talking about here 
 i'd agree, but go further and say less than 1/1000 users are not going to jump in with at least one legit person to start off with, probably more like 1/10000

and so long as the clients default to networks composed of mostly real people

fake networks and fake relays are in the same category as scams in general, and probably the subject matter of such fake networks would be pump and dump and other kinds of scammy shitcoinery 
 First paragraph is wide of the mark - I didn't know any of you freaks before I spun up my npub :)

And a lot of people I talk to under #introductions be the same.  Sample on convenience etc etc, YMMV, but I'm pretty sure we "walk-ins" are a majority of new npubs.

The rest of your post I agree with. 
 Accurate. I knew no one, only of people talking about it. Everyone I've helped get set up, that I've taken the time to ask, has either watched a video or read an article that piqued their interest.  
 yeah but you found gigi or jeff booth or lyn or something, or someone anyone dropping their npub, i mean, it's pretty unlikely that you even go to nostr without one person in your mind to follow here, in my opinion

most people talk about the people, and the protocol, not the client apps 
 I'm just saying that some people are so ubiquitously known that knowing of them & searching them out doesn't provide much proof of anything about the person searching & following. 

I'm probably misunderstanding something somewhere... I should just stay in my lane 😅 
 well it would be a red flag to spot an influencoor on nostr from X and they only show 5000 followers while they have a million on twitter 
 Eventually, yes. Once they establish themselves. That number is also incredibly unstable though so is it really reliable? 
 well, we can't bring all the stray lambs back from the brush but i think in the next 6 months a lot of tools will exist that will improve this... i for one am looking forward to the map of Nostr 
 Yeah, I'm of the mindset that follower counts should fade away & get replaced with other signal metrics while it's still early enough that it causes minimal pain. 
 i came here from xitter, i followed in people who i knew from there who were talking about here 
 Yes, and what I mean is that the cost of solving a captcha by automation services is 0.5-30$, I pay for it, spam the shit out of that npub for 1 month, scam people on >30$ and get profit. So it might raise the bar, but not really solve it.