Let's say I run my own ecash mint. I issue myself a bunch of tokens, then I go and spend them. My mint allows the recipient to redeem them, but later on when someone (other than me) wants to melt the tokens, the mint just pretends to be offline or something. I'm then able to rug spent tokens because I own the infrastructure. It seems like the only way to defend against this attack would be for recipients to immediately melt all tokens issued by untrusted mints. Is this the standard pattern for receivers? Is mint trust model front and center in cashu implementations?

Community apps feel like the new nostr gold rush, everyone keeps building new ones that all work completely differently. I agree with their importance (obviously), but it seems like this has the potential to fragment things more than ever, just because communities are a rorschach test. Everyone also has their own libraries and preferred development stack. What if we just all agreed to start from scratch and work together to create something new? It probably wouldn't work because we're all so disagreeable, but one really good community app would be better than 10 incompatible ones.

Nostr was mentioned on my favorite cryptography podcast today, Security, Cryptography, Whatever — they didn't spend a lot of time on it, but here are some highlights: > It’s federated and it’s European. I bet it sucks. > It’s some Ayahuasca inspired initiative from. From Messrs. Dorsey et al. > Yeah, sure, it’s decentralized and federated, but like their proposal for encrypted end to end encrypted DMs was just bad by itself. > When I reviewed this, my description of this was it looks almost exactly like Nebuchadnezzar [https://nebuchadnezzar-megolm.github.io/], which is like a fractal of things that could have gone wrong with like a complete ecosystem of like a secure messaging system. They found flaws in almost every component of that system and then tried to leverage them as far as they could. You can read/listen here:

Vegas, Baby!

We’re throwing a party in Vegas! Someone called it SCWPodCon last year, and the name stuck. It’s sponsored by Teleport, the infrastructure iden...

They also mentioned a talk that's going to be delivered at blackhat on August 9th which sounds super interesting: > In this session, we unveil the first comprehensive security study of Nostr and its popular client applications, demonstrating how subtle flaws in cryptographic design, event verification, and link previews allow an attacker to forge "encrypted" direct messages (DMs), impersonate user profiles, and even leak the confidential message from "encrypted" DMs. Here's the link to the agenda entry for the talk:

Black Hat

Black Hat

I'm looking forward to learning how we've screwed up — there aren't a lot of cryptographers here, and I know that open protocols make security even harder to maintain. Maybe we've screwed up irretrievably, but I'd rather know now than later.

@Mazin it looks like nostr.wine is asking for auth without sending a challenge. Tested in coracle and snort:

@𝕾𝖊𝖗 𝕾𝖑𝖊𝖊𝖕𝖞 you asked what I thought of WoT relays, I didn't have a chance to answer. I think they're cool, but they have to be used correctly. Archiving is great, uncle jim-ing outbox is also a good use case (although I imagine they wouldn't work for dms or inbox). Also good as custom feeds, curated by people whose taste you like (although you could just load that up directly by requesting based on someone's follow list). I think all of these use cases are pretty weak, since there are other heuristics for finding the same content in most cases.

Thanks to @ODELL for a great conversation

Never underestimate the extent to which what we want determines what we believe

Hey @Ben Arc, want to come on @npub1mlca...8jpa sometime and talk about socialism?

Remember how I was writing a book? Well, I gave up on it. But then I wrote a different one:

Building Nostr - A Guide for Developers

This book is both practical and philosophical. It ellides a lot of the details you can otherwise get by reading Nostr NIPs, focusing instead on all the things I've learned over three years working on nostr. It includes a number of contrarian opinions which may be partially or completely wrong. Feel free to disagree, or even tell me where I'm wrong. I'll be releasing updates to the book as I have time and inclination to repent of my mistakes and omissions. The book is free, with epub and pdf versions available for your reading pleasure. If you like the book, you can send me bitcoin via nostr or at

Geyser | Bitcoin Crowdfunding Platform

A Bitcoin crowdfunding platform where creators raise funds for causes, sell products, manage campaigns, and engage with their community.

and if people like it enough I may publish a version that you can touch with your fingers.

Capitalism isn't bad, monopolistic corporations are Government isn't bad, unaccountable government is Technology isn't bad, externally imposed systems are Just thinking out loud here

Just learned about Fisher Ames: > Ames was on the committee that inaugurated President Washington, he framed the final accepted wording in the First Amendment regarding freedom of religion in 1789 and fought many key legislative battles successfully for the Federalists in Congress. > Ames died on July 4th, 1808, at the age of fifty; making him the first of three Founding Fathers who died on July 4th - along with Thomas Jefferson and John Adams - who both died in 1826. Based

Just uninstalled my NIP 07 browser extension to dogfood NIP 46 harder. As a side effect, I am now unable to log in to the majority of nostr apps without pasting my private key.

Just uninstalled my NIP 07 browser extension to dogfood NIP 46 harder. As a side effect, I am now unable to log in to the majority of nostr apps without pasting my private key.

Apparently when you sign in to satlantis for the first time, it automatically changes your NIP 05 to `@satlantis.io` . Classy.

Why? Because we want you to buy more stuff from us.

Mentions have two parts: `p` tags and delivery to the correct relays. If a note has a `p` tag but isn't delivered to the recipient's inbox relays, it may as well not exist.

Great thoughts from my friend's email newsletter: > The people who think AI is reshaping reality spend way too much time on the internet. “How will we know what’s real?” means “How will we know whether a TikTok video has been human-processed or machine-processed?” “The art of writing will die” means “The art of writing boring blog posts and meaningless corporate emails will die.” It seems appropriate for the vast, illusory engine of unreality (the Internet) to be created, curated, and synthesized by machines.

@Daniel Cadenas looks like undocumented.nostrkinds.info is borked, no entries are being returned

Just stumbled on an old Figma file from 2022 for "Blazepoint", which would eventually become Coracle. A lot of important ideas were in the original, including web of trust and pay-to-post, which is cool to see: