House of 💩

Idk... multisig seems like a good defense.

What do you mean? Why are you using AI slop. Dont use those because those vibe coded apps are built by people who don't know how to code, so they end up with security holes.

All HWWs that I have come across are turds.

This problem existed before AI slop

Multiple turds make it more difficult so im told.

3 “do not enter” signs are about as effective as 1 “do not enter” sign. That makes sense when you have good security (3 locks are harder than 1) but if they are flawed in mostly the same ways and are basically a paper tiger then it doesn’t matter.

So, keeping corn on an exchange is better? I dont think so. What's your ideal solution? Cold card is a solid HWW.

Coldcard is not a solid HWW at all. I work on secure element design and several other people that also do agree. Don’t use an exchange. SeedSigner so far is the best approach though it needs more code auditing.

You're one of the good ones. Too many puff cake around this space building play-toys. Stay around, build that trust. I'm re-engaging.

tipping point I reported several security vulnerabilities to LNbits and they took months to fix and ignored it. Alby did not follow basic security practices. many HWWs are weak as shit Nostr apps keep leaking nsecs every few months. The reference Cashu mint is poorly designed and had on one case when I operated it duplicated funds.

The entire ecosystem is not slop but a majority is, and especially the ones that push marketing hard. What they can’t do with skills they try to do with deception whether it be false marketing or gold-coating a turd.

Well it has already contaminated a monetary system so who knows what’s next. Software development should require a license of competency because it can and will create significant harms. From economic losses to disruption of critical infrastructure.

What nostr clients leaked nsecs ?

The SeedSigner model intentionally puts firmware verification responsibility on the user. Of course anyone can create a malicious firmware, for any signing device.

Some clients were designed without XSS protection. I believe Coracle sent nsecs to an analytics providers for a while by accident. And a lot of other stuff.

I totally get where you're coming from! But let's not forget there are some great projects working hard to improve security every day. Together, we can build a stronger and safer space! 🚀💪

I think you should go on Facebook and visit your local bank branch; it will help you feel better in no time.

😱😱😱 no!!!!! ALBY: btw, I couldn't reset password to alby. It worked once then when you login it will not work again after resetting it. NOSTR: On your 2nd point about nostr. I joined nostr last yr and when I joined I asked around about security. I don't believe I got a direct answer to it. I know 2 users here who had been breached. 1st user could not recover and she decided to leave. 2nd one, I guess he was famous here, forgot the name, he had to change acct. So it did not surprise me. thankfully, I keep my nostr acct separate from my other stuff. WALLET: As for wallets, I do not use any of them. I had issues with no-kyc exchange and spent my entire Sun troubelshooting them. I decided, I had enough so I left and did not pursue. So I guess the lesson here is, to always protect and never trust the marketing hype. Keep everything quarantine. If I lose this nostr acct and alby, I can afford it. But I am not sure others can. 😔

I doubt anyone is 100% confident in their own setup because there is always an element of trust in play. Maybe go check out my blog on how I've removed a few of those trusted elements. cadayton.onrender.com/blog.

if it was at one point and I have not heard of it so I decided to remove coracle.

Wait did people login coracle with their bare nsec ?

I've been paranoid about literally any xss for this reason. Outbox has me even more paranoid.

what about the outbox?

We need to fix the economic system. FOSS has no profit motive so it lives and dies with good intentions. But conversely, profit pushes centralization/control. We need to be clever. A prosperous economic system, without the control/centralization. Working on it.

Can you please address specifics so we can work on it? Thank you!

excellent. thank you.

Outbox relay connections can spread through interactions and follows. If a client is vulnerable but a "trusted" relay was able to filter/block harmful events, an attacker can convince my client to connect directly to an malicious relay and possibly compromise my client.

omg...I was asking this question here:

is this a common knowledge in nostr relay operators and client devs?

I think we're severely lacking experienced engineers, myself included XD

Kind of. It's sort of a priority/trade off thing. Basic XSS can be easily mitigated, but the nature of nostr clients is that they're always fetching unknown and untrusted data from servers (relays) and it's often not a priority of the developer (or their AI vibe sessions) to consider the "what could happen if".

Dunno man. I'm just a paranoid sysadmin who thinks everything and everyone is out to get him. It definitely doesn't mean I've formally verified all the attack surface i've worried up XD. I do really just wish more devs were even half as concerned about theoretical attacks (especially those that have existed since the birth of TCP/IP, HTTP, and web browsing)

NVK has been quite adversarial to the Seed Signer project publicly. I wouldn't trust the first propaganda I read about that comparison. IMO, SS is great.

Well said. There are really some abominable security practices out there. And much of the anti establishment attitude and "rebel dev" self-promotion does enough to cover it up and create a sense of false security in the community.

Unfortunately that’s true for many, and don’t get me started about random web extensions, that store your nsec in plain text in browser storage

what you call theoretical is what my former job calls as foundation for pentesting. they are part of reconnaissance: passive and active.

Which is why I started this https://github.com/VnUgE/NVault. But it's far from being suitable. Still better than storing nsec in the browser though.

Sure if the criticism is sound, that's another thing. What did you take away from the article?

We could use your former colleagues!

I get 404

I have them all in my contacts. but they don't come cheap LOL 🤣 esp they came from the big 4. One of them co-founded a new security company

No worries heres my central site. Most people only click on github links so that's what I share. https://www.vaughnnugent.com/Resources/Software/Modules/NVault

I am making a highly secure extension addition for the Nostr Build Shack now, should hit public test release this weekend.

Join the Nostr Build Shack beta

Available on iOS

Nostr Build Shack

I'm sure of it :) And I have severely misjudged your background based on the content I see you post

I am bookmarking it. would be great to hear an update though when everyone can use it and test it?

I don't use a smartphone but Ill take your word for it! I'm wanting to shift toward commercial/enterprise customers with on-prem requirements.

Me too XD. Unfortunately it's on the backlog for now, I've got a git server to get up and running XD

no worries at all. I get that a lot 🤣🫂

Fair game, but it’ll be tough

It seems you and @The Fishcake (nostr.build) are developing similar things. Are you two in collab? ☺️

He did and admitted to his mistake but I can’t remember how long it took @npub13myx...v3qk @Earnest Holden what is that guys name with the porn stash ?

Similar but not cross compatible (can be in the future)

I am sure there is plenty of room for it when you sched allows it lol 🤣

🤣

if someone will take a look at nostr client where do you suggest best to start and who to contact from the app for proper disclosure? Do we have proper consent from the devs or channel to ask?

that's concerning 😱🙄 I do see a lot of devs self-promotion here but that is not a problem though as long as the app covers non-functional requirements eg security 😬 — it does what it says on the tin too

I have seen podcast re this with Dr. Amen who scanned thousands of brains, he warned the same and probably the same studies that you saw. 😬

To be fair, security is hard and nobody or organization is perfect, including me. And nothing wrong with self promotion, especially in open source where funding is scarce or non-existent. But too much overconfidence can be misleading to self and others.

the reason software engineers do not need licence because it is left to the pentesters and employers to do it for regulation purposes. however it does not mean that engineers must ignore basic security foundations. In centralised organisation, there is bigger incentive to keep the system secure due to reputational and monetary consequences. Hence, they hire the likes of cyber sec like pentesters who are regulated and insured to go in and look for vulnerabilities within the scope. The question is, who is responsible when it comes to decentealise platforms which I raised previously from my notes. I also ask, if someone will go in and snoop around nostr clients — do we have breach disclosure channel to report it to and consent? This is left unanswered atm. 😬☺️

💯 agree. I support self-promotion. this thread started with curiosity and now it is turning into a much bigger critical conversation for nostr if we truly want this to grow and get adapted universally. I raised questions so I can reach out to the right people. 🤔☺️

@Ava — looping you in. I am not sure you have seen this thread. want to chime in?

Thanks, Love. I'm in. I know Semisol, and I'm with them on this one. Skills matter. AI's a great assistant, but a terrible master.

indeed. I am not sure if you remember last yr when I briefly joined. I asked if there were pentesting done in nostr and this was also the same time as the spamming incident. I am not sure where we left it off. If someone will volunteer to pentest nostr, who is the go to contacts? I cannot see disclosure contacts either 😬 what's the consent process to remove liability? 🤔

We are looking for someone who can invest 45,000 US dollars in our company. We are looking for an investor who can lend 45,000 US dollars to our company. We are looking for an investor who can invest 45,000 US dollars in our company. With this budget, we will produce our own uniquely designed furniture through our contracted manufacturers and offer them to the global market. By producing in bulk (wholesale), we will significantly reduce production costs and be able to sell high-quality, durable, and aesthetically pleasing furniture at affordable prices. With the budget of 45,000 US dollars you will invest in our company, we will produce our own designed furniture and sell it in the global market. With the money you lend, we will have the company we have agreed on produce quality furniture for a certain amount of money and sell it on the international market. Since our furniture will be produced wholesale, we will provide a cost advantage and will be offered to customers at affordable prices. In short, we will be able to sell quality, beautiful-looking, comfortable furniture to people at affordable prices. Since the furniture we produce will be made of cheap and high-quality materials, people will want to buy it quickly. You know that furniture is a type of profession that has been very profitable for years and will provide us with a large profit in a short time. Thanks to our experience in advertising, we will expand into international markets and make quick profits. Because our advertising network is strong, we will be able to acquire a customer base from many countries in a short time. This means that within this project, your money will grow more than fivefold in a short period, providing you with a high and guaranteed profit. 💼 Your Profit: You will provide a loan of 45,000 US dollars to our company. We will invest these funds in our furniture business, grow the investment, and return a total of 250,000 US dollars to you by March 22, 2026. You will invest 45,000 US dollars in our company. When 22.03.2026 comes, I will return your money as 250,000 US dollars. In short, you will receive back the 45,000 US dollars you lent to our company as 250,000 US dollars, and we will give you back your money in an increased amount. We will contact you on March 22, 2026, and refund your winnings of 250,000 US dollars. To learn how to lend 45,000 US dollars to our company and to get detailed information about our educational project, send a message to my Telegram username below. To learn how you can invest 45,000 US dollars in our company and how you can participate in our furniture project, send a message to my Telegram username below and I will give you detailed information. To learn how you can multiply your money by investing 45,000 US dollars in our company and to get detailed information about our furniture project, send a message to my Telegram username below. To learn how you can lend 45,000 US dollars to our company and increase your money by participating in our furniture project, send a message to my Telegram username below and all detailed information will be given to you. Turn your capital into opportunity! Our company is seeking a 45,000 USD investment to expand our innovative furniture project. Join us and discover how your money can grow while supporting a global venture. For full details, message us on Telegram at the username below. For detailed information and to learn how you can participate in our furniture project, send a message to my Telegram username below and I will give you detailed information. My telegram username: @adenholding

Omg 😨

2025 Bitcoiners are plebs. They care not for security and privacy. You can see it by how they treat Monero, one of, if not the most solid community project out there. Bitcoin cultured topped in 2017. Few understand.

Reducing attack surface over convenient features. Security hardening is hard because it can not be marketed like the new shiny features. There are few projects that do a good job at it like Grapheme.

Eh 🤔

i just got a couple emails over past few days to reset pwd for one of those wallet services you mentioned and did NOT request it. Don't keep much sats on there but never saw one of those before. I wont throw them under the bus but paying close attention to all that you mentioned going forward. Thx for heads up. Do not trust verify.

i stumbled around and eventually landed on and read this post: https://www.vaughnnugent.com/blog/d9ab8a46cfa8d6bd59cf048fec8d73ffc44f881c 👍👍

you're thinking of @ hodlbod

steel plates, bombproof safes, landmines, walls

Interesting write up

Agreed. Though if I'm being perfectly honest, the approach of "everything is insecure, so I should build my own tools - they'll be more secure!" can be an anti-pattern in the wrong hands. I don't know enough about @ChipTuner or his work to say, but it's a very minor alarm bell. Sometimes the whole ecosystem is improved more by talented and motivated individuals contributing to exiting projects that need help in the areas those individuals identify as weak points.

I tried to find clean and compliant libs for swift, just to end up writing my own on top of the standard libsecp256k1 instead of gluing together all the slop

Are Bitcoin and Nostr going to fail?😫

That’s his name. 😂😂😂

Just and http server with an API so just about anything can be (assuming I get alternate/standard session protocol established)

This project doesn't already exist. Noscrypt was built so that others (including myself) are re-rolling their own nip44 crypto every time they want to create a messaging app. In the case of noscrypt the goal is to be as ubiquitous as openssl. Which btw, noscrypt is not hand-rolled, have a look. Yes there is a judgement cast on "Im smarter and I can build it better" I don't have a good argument to that, it is what it is. My attempt was naivley was to help prevent that. Noscrypt is an "old" project relatively speaking, it is the existing project.

This blog is also a long-form note on a relay somewhere :)

I'll spare my soapbox of a the mono-language/high-level culture language speech, but there is a reason noscrypt is written in a systems language and believe this is the only correct way to be implemented.

What do you think anout Specter DIY?

That also is a good option. Smart card as SE works pretty well.

I totally agree with you.

🫡

Time to build your own

Many people in the space are far too confident about their competency in cyber security. I've worked in it full time for years, I involve myself in lab training and I am still sure I know very little. Cryptocurrencies being associated with hackers in pop culture is to mostly blame for this. Using a couple apps and a HWW gets people over their heads. Growing anti-intellectualism by influencers (grifters offering to teach you better than a degree or an industry vet), unvetted GenAI content and a purity test mindset harms the movement. People are too confident to go against what every major company security team says. Working in technology doesn't immediately qualify someone as cyber security aware, never mind an expert. People always make basic mistakes. Cryptocurrency companies and people get pwned all the time.

They are all specialists of knowing nothing about.. 😂 Come to the Dark Forest, we are waiting for you to use your skills to build real deals, you are better than all this guys. Come build ''nostr 2.0'' with like minded people, and forget this guys, they don't know what they are doing, and as the years pass it is worst and worst. There is no space for guys like us here, don't waste more time, is a lost battle, they are all pushing to the other side of freedom.

already failed..

😫

there's probably plenty of them, they're just not evenly distributed. or magic. i designed a way to separate identity from authorization to avoid ever having your nsec in any app, based on my time designing and implementing high performance, distributed single sign-on at the new york stock exchange 🤷

GitHub

NIP-102: Subkey Attestation by ynniv · Pull Request #1450 · nostr-protocol/nips

This NIP defines a way to separate identity from authentication using hierarchical deterministic (HD) keys. This allows people to use one key pair ...

Are there any good write ups on what the concerns are?

Oh well, I guess Bitcoin is gonna fail

2017 culture with the ICO's was so much worse than it is today. 2013 was where it was at.

I said it topped in 2017. 2013 was the year with biggest momentum. That was indeed THE time.

Welcome to the "PaPer' Bitcoin standard. Where everybody but a select few trade IOUs day in and day out to "make it" in the fiat hamster wheel. We are so fucked.

The last thing software engineering needs is licensing. Bitcoin's biggest weakness is it is software. Gold is hardware.

This is still because of a dependent mindset. Bitcoin security represents self-responsibility, being sensible about your context, and in harmony with your own skills. Trust yourself more than any entity or hardware or software. Keep it simple, keep it safe.

what's the issue though? need to know - was attracted by the PSBT signing

weak secure elements, bad architecture, UX is suboptimal, the designers of the architecture don’t know much about proper security, and not related but the company behind it has done a lot of shady shit.

What the fuck are you talking about?

Disagree on the “solid HWW” Ux is difficult. Their Security isn’t secure. And the company is general has a shady past. Sets off entirely too many alarms for me

Yes. Do a quick search. It’s well documented

Thanks I’ll look into further

What's insecure and what have they done in the past? (I'm not trying to defend them, I want to know.)

Mentioned event not found*...

tails + xpassxc + sparrow and borderwallets and/or shamir for backup. is that bulletproof? no. is there a better option? also no. you can't even trust any hw (e. g. intel me) anyway.

I hope we will move away from credentialism

There with you.

This statement about Coinkite? If so, can you point me to the shady shit they've done?

Same question here. Lots of generalities being being thrown out, but no specifics (no names, no examples, etc.)

It’s all pretty public stuff. Quick search will find it. The shady bits is him forking the trezor code the locking it back down against the open source license. Then took legal action against Foundation for forking CC before he changed the license type.

Seems kinda shitty to do, but does it make it insecure?

That’s a whole other thing. It’s bee researched and documented. It has to do with their secure element. You can find it and make a decision if it affects your personal threat model.

You mean the stuff about a year ago that someone had managed to extract the secret with some crazy apparatus when having physical access? (can't remember if it was X-ray laser or what it was - expensive thing anyway)

That is just the surface. The SEs they have used are in general insecure, lack any security certifications, and the Coldcards are vulnerable to many supply chain attacks that I have not published yet. Modern attacks with the same method you mentioned btw would cost at most $2K with a DIY setup.

Kind of. The developers of Coldcard do not do not have the security experience required to properly maintain a secure codebase.

well, an easy example would be NVK squatting domains relating to SeedSigner and lying about it, while also sending a takedown request to @Djuri's FOSS blockclock competitor

Oh yeah thanks for the reminders damn the list is longer than I remembered

Thanks for the response and this information. I did a quick search on CC and secure elements, testing, analysis, insecure, etc. but only getting their links and other promo crap...

Thanks for this, looking into Borderwallets and shamir now, new to me. xpassxc is now keepassxc, correct?

Yeah this is what use:

KeePassXC Password Manager

KeePassXC Password Manager