I was thinking about this earlier. How many of those early apps I might have used could have stored my nsec without my having any idea. I'd like to think that early nostr devs wouldn't do such a thing, but that sounds an awful lot like trust 😅

the best such compromise keeps it a secret and has all those stolen nsecs talking weird stuff to eachother on a closed off relay, timestamps all of it throughout, and drops it in 2 years on the network for total chaos

I feel like it’s been deep paranoia that has driven the move towards complexity. I think it is valid because it is a better discipline but we do it at the expense of attracting more users.

Ain’t no scammers who got the patience for that wait 😂

Hahahaha

This is causing me to question if I would trust my password manager with my nsec. Right now the answer is no

The pre 23 ones yes. After prob not

I ve seen some old accounts that leaked nsec arise years later by a scam or bot later

There is that. We can afford to have a new generation of password management tools

I guess it happens but less is true. Maybe because we have less users 🤣

Yep Anyway i am wondering if its soon time to retire from building nostr things ….mostly cuz Everything is gettting clawd to death lol

It did happen a lot back when Anigma was still a thing and XSS injection was possible and the nsec was saved in the browser. More recently the problem is that devs don't check the libraries they are using and don't know what the library is doing. It wouldnt be very difficult to find a dev using a library that was intentionally designed to steal the nsec. The other problem is that nsec wouldn't have to be used right away. Attackers can steal the naec and wait for when the account is large and with influence to sell or use it somehow. Couple that with the fact that separate relays can have different things, it is possible for an attacker to use your nsec in just one relay and all users of that relay can fall into giving the attacker's money thinking it was you. And you won't even noticed what is happening if you don't use that relay. You would swear your key is safe while attackers are running wild with it. Also, they can post in the past and future as you to build reputation for other things/keys since no one is checking if you actually wrote your past posts anyway.

In 2023, @npub1earn...ja5j built a Nostr feature into their game app that stored your nsec, and if you had signed up for a new account, they wouldn’t give you the one they created. Either way, that nsec has been forever compromised.

True. I kind of want to see why happens when a Taylor swift nsec is leaked 🧐