Sounds great, looking forward to what you come up with. We need people like you to stress test the network, because as you say there are a lot of vectors. Be patient with us though, because devs have an incredible amount of work on our plates. This is a 30+ year project. Let's go!

I would love to hear more about what you think the top 2-3 things are that are broken. I get that the network is not very mature when it comes to strong privacy or moderation but are there specific things you'd call out?

I don't intend to push every button at once. For right now it's easy IP leaks. That needs to be resolved first. I don't expect it to happen overnight. This place can mature into a universal standard if we work out all the kinks.

Top flaws? 1) Reckless NIP implementation. Too many features with deleterious side-effects. 2) Poor privacy controls. Way too easy to leak PII. 3) Poor key management. One big exploit could compromise large numbers of accounts. Ad for moderation, I just worry about the commonality of extreme content that will scare away new users.

1) Once you have an account established and are following people it is mostly fine, but it's hard to browse the global feed without seeing strongly undesirable content such as lolicon (or worse). This is a natural consequence of being censorship-resistant, but it will scare new users away. I'm excited to see how this can be reigned in without harming the free speech of other users. 2) By "centralized development", I just mean any standard unifying practice for development. Centralizing a core Nostr codebase under GPL would keep it property of the people forever, while making sure all bugs and weaknesses are patched for everyone. Everyone doing things their own way is a recipe for disaster. Death by a thousand cuts. 3) I have never used Damus, so nothing I've uncovered is specific to them. Finding a weakness in Nostr means every affected Nostr project needs to fix it independently. Even I don't want to write that many bug tickets.

I'm not aware of anything broken. Show us please

Your approach come off as being a little bit heavy-handed, but after giving it some thought I kind of appreciate what you're doing. We need privacy stress tests and unfortunately, gentle reminders don't seem to work. We can jump up and down and scream about the importance of a VPN and basic privacy preserving techniques. But some people won't "get it" until they see some consequence like you showing how simple it was to grab a users IP. It's actually a bit of breath of fresh air to see someone who's willing to stir up a pot a little bit in an effort to help the network grow rather than a malicious actor trying to genuinely fuck with people.

1) Agree on the anime p*rn being an eyesore for most. Certain relays have more than others. Agree protocol allows for this, and it is the tradeoff of censorship resistance. I see onboarding as the initial part of the challenge here. Specifically on Damus, the current band-aid solution during onboarding is to have a list of suggested profiles to follow thematically separated (homesteading, parenting, media etc.). Discovery post-onboarding, and the "universe view" is the never-ending continuation of this question. Team is aiming to explore the design, and experience here soon ™️ . Further to the **** problem, there's some work done on using opt-in sensitive image scanning on Damus. It's not complete, and not yet tested for reliability and robustness. 2) > Centralizing a core Nostr codebase under GPL would keep it property of the people forever My understanding is nostr code is licensed (verbatim) as "public domain". 3) I got you, and appreciate effectively pointing out a single weakness thus far. I hope you continue exposing weak points. Here is a proposed solution for a single client:

GitHub

damus-io/damus

iOS nostr client. Contribute to damus-io/damus development by creating an account on GitHub.

If you have feedback on this solution, I'd be happy to pass on to the dev team. If it's just the problem statement/issue you want to share, I am happy to put on the radar of various nostr clients by generating a bunch of issues. Lmk if/how I can be of help.

One fundamental flaw I see with this idea is that if you are addressing the method in which I gathered these IPs (via DM), you would have to send decrypted URLs from a users end-to-end encrypted DMs to the image proxy, which endangers privacy in a new way because it revealed part of the message to the proxy. Now you have to trust the proxy with potential secrets. Link Previews are also a vector for attack here, and it would be even worse to send all DM'd URLs through the proxy. I also worry that image proxies could bloat the cost of running a client, are a form of centralization (this solution only benefits Damus users), and are a vector for DDoS/Abuse.

Glad to meet you and yes, please share what you find.

Are you talking about IP addresses? IP address privacy is solved. Use a VPN or use Tor... tails... or qubes. Depending on your threat model. To do IP you need an address, and that IP address necessarily gets signalled to your IP peer. And if you don't do IP you are not on the Internet. Nostr clients shouldn't be trying to control every protocol layer. Let the IP layer software handle the IP layer and nostr runs on top of that.

Every few months one of these self proclaimed hacktivists comes to point out nostr shortcomings in some malicious and uncreative way. So far none of them that I’ve come across has actually pointed out anything useful. This doesn’t seem any different. It’s just a way for them to flex their ego and get some recognition. Clients should at the very least have a toggle to turn off loading images from people they don’t follow (or their WoT) and many already do. Outside of that, there is nothing broken and nothing to fix. Not sure why we give these people so much attention…

Nostr is the first thing to teach people how the internet works since MySpace.

Most people don't care about privacy. Edward Snowden and others have been trying to convince people that they should care. And events where good people suddenly become seen by society as bad people have worried a lot of us, so more people care now.... the excuse "I don't need privacy, I'm not doing anything wrong" doesn't apply to that last case. Whoever you vote for you will have enemies, and you should want protection from them. I've already commented on IP address privacy - I don't think it should be handled in-protocol. I believe using the web stack puts both privacy and security at risk which is why the client I develop (gossip) runs on the desktop without a web stack. I've tried to include a lot of settings to allow people who care about privacy to maintain their privacy. You can disable rendering media inline automatically. You can disabling fetching of avatars, of media, of checking NIP-05, of fetching metadata. You can run in offline mode. You can include a ["client","gossip"] tag if you want, or can turn that off. You can include a user-agent string if you want, or turn that off. Oh, and your private key is stored encrypted under a password and zeroed (along with passwords) before memory is released. I intend to give users more control over connecting to and authenticating to relays via whitelisting (slated for 0.10). I intend to implement NIP-46 in both directions, which will help a lot with key management, especially as other nostr clients and services begin to support it. As for moderation, gossip allows you to write a script to filter posts using any code you can dream up. We also just added code to not load posts from people you don't follow unless they are on relays you designate as 'spam safe'. So I think we are on track, and these issues are all being addressed. But there is plenty of work to keep on doing.

Gossip client doesn't even have a way to see global relay posts. Apparently I missed out on shower girl, 🍆-pic day, and lots of other things. Now that users can mark relays as 'spam safe' (trusted to moderate content - I should probably rename it) I may add in a global feed for those relays.

I'm not going to pretend that what I did wasn't trivial. It was. But if this trick is so uncreative and unoriginal, why hasn't this attack vector been resolved yet? If nobody has a reason to fix this, I'll give them a reason.

What is there to fix in the nostr protocol? If a particular client is loading images from unknown recipients, that’s an implementation choice. If you have a problem with it or think it should be done differently, you can open an issue in their repo or write a PR and contribute to a solution. Or, of course, you can use a different client or write your own. I fail to see how this is a nostr weakness or how what you’ve done is helpful or creative. People who are concerned about exposing their IP on the internet should use a VPN or Tor.

Hi ! Looking forward to seeing what you have found out.

Perhaps create a second nostr account for bot posts (e.g. the IP addresses) as they are informative but they make u individually difficult to follow.

Unsure about what you mean with “it’s regrettably broken”. Would love to hear more on this. Thanks to @I)ruid for reposting.

@npub1sn0r...jtws (and Iris) client have a default option called 'Image proxy service' which I believe solves the issue, right? @Ostrich McAwesome

The real issue is inconsistency. Different clients have different ways of trying to protect you from the same features, all of which are implemented differently. Also, using an image proxy may protect you from leaking your IP, but as I have mentioned previously, this would now mean that URLs from your end-to-end encrypted messages would be decrypted and sent to the proxy, damaging your privacy in a different way. Ultimately, my take on Nostr web clients is that if you're using any other browser than Tor Browser, you're doing it wrong.

I completely agree with certain types of ‘stress testing’, breaking things and exposing gaps but I do NOT agree with posting IP address that can potentially hurt someone. I understand that this can easily be found, however if the particular person wants to go to the effort of finding out that information. I do NOT agree that it should be posted out there for everyone to see. Expose issues but don’t expose things that can potentially harm someone.

The cat-in-the-box theory, whether full or empty, depends on you. The goal is 5 million, but the choice between the full or empty box is yours. Solana..... 5uiAkvrEBRP71snvPsQC9AV1qrTGkJGyEqrPeJ3mrmNt

Sucks but gotta embrace the suck. Part of the process when growing fast. Lots of ideas being tested at once and over time we will see a normalized distribution of features centered around some broad appeal features. It'll come. Just let the devs cook bro. We are moving faster than we have any right to have expected.

*Breaks into warehouse *Beats security guard with baseball bat "Look at that attack vector. Good thing I exposed it or else somebody could have used it to hurt you."