Recent Notes
WorldCoin: Where finding dead bodies or killing people unlocks all their wealth for instant transfers for bounty hunters. Modern treasure hunting!! What a time to be alive.
My main concern overall is really the white washing of what security you are actually getting, and what you are not as a user. When people can’t understand easily, they may think they have privacy and live in a sane world… when…
End to end used to mean best possible outcome (assuming the keys used were a sound curve) - and sadly today it’s entirely possible for ‘end to end’ to be something else entirely.
The extent of the scam used to (and often still is,) be SSL Certificate providers attaching ‘$500,000 encryption insurance’ as part of their sold certificates. A bogus un-claimable feature used for marketing and to trick untechnical users into thinking they were highly secure and safe to use their credit card online (this is largely pre the HTTPS push).
Cloudflare are certainly innovators - but in a very centralising way. Their business moat is tied to protecting and growing their centralised empire. Just like any other company, they can be coerced as a business to do a governments bidding.
I’d almost go as far as marking websites or services that use Cloudflare as not a green lock or add a yellow spy glass - but really, browsers are too broken now, best to instead focus on their replacement.
Discussions online typically live elsewhere to their primary source today.
A few reasons why include who controls the primary source, how long it may be around, where/who hosts the primary content, and in what context is the discussion happening - perhaps different aspects/threads are of interest to different groups.
With Nostr the primary content isn’t tied to a primary host or controller/moderator. It’s a published referential event.
Discussions can occur directly in the same ecosystem. No need for bespoke external platforms comment sections like news articles, blogs, discord, forums, hacker news, etc. to host commentary themselves; the content and discussion can co-exist. That’s a truely unique and ultimately the winning model.
What will still need development is how to ingest or navigate or collate or filter or ingest the discussions - as it’s now lumped into a single pool of inter-referencing discussion.
One approach is to skin the discussion into views and effectively rebuild those external platform discussions directly on top of Nostr - tweaking views to suit. Other approaches will develop over time.
Reminder: Cloudflare is a man in the middle, and decrypts all traffic and re-encrypts it using it’s own certificate.
Sometimes this is ok, for example Nostr events are effectively public, and relays can prevent DDOS. However it’s important to understand that the green certificate saying valid cert and encrypted in browsers does not mean private or 100% secure or true end-to-end without ease dropping.
Their ‘malware detection’ capability is more likely there for dual purpose surveillance. If you mature and roll out systems that mass spy on your population, flipping the switch from passive to active is easy.
If I was the government, I’d pay for a few (secret) contracts.
My issue is they make the devices and OS. And I’m not sure we should (read: please don’t) trust apps directly, to be honest, as they are a target vector.
External signing devices are great. What’s missing is a layer perhaps where the external signing device says, “hey, your last message to Dave was to pubkey X, it’s now Y” or similar - however I favour dumb signing devices.
A trusted OS would be ideal to perhaps have this security layer to keep/compare state and make it obvious/transparent - it’s just painful that we can’t trust the OS.
And just to clarify.. you’d need the pinned certificate key/fingerprint - it’s expiry is not enough to detect a change.
Not talking strictly HTTPS. Even so, when have you been directly notified by an app when they updated their pinned certificate? Or even having visibility to a currently pinned certificate and it’s expiry?
It’s not even the key exchange exchange security - that’s largely solved. It’s the swap out and zero-visibility attacks.
I’m largely targeting WhatsApp, Apple iMessages and FaceTime, and whatever large corp constant use a few buzz words that are literally meaningless.
I hope we can do better on Nostr, once key rotation is more mature. We need greater transparency around security related changes. I’m unsure how to include them outside of the app itself - which shouldn’t be trusted.
Nice*
“End to End Encryption” is just marketing without having significant and deliberate tampering detection mechanism.
Examples include secretly swapping out a certificate/key for an identity to middlemen, private key leakage, changes in code to specific safety checks or tampering protection mechanisms, or changes in forward secrecy pre-generated keys, etc.
It would be nice if we had a way to better detect these types of changes and make it very obvious to the identity. As they happen and as part of updates. It would be nose to have a trusted host OS that could help validate.
People seem to assume a single AGI. I’d expect multiple. And for them each to be their greatest enemy.. not humans.
That’s way off. What isn’t is ML used to manipulate humans - with greater control and less effort than current manipulators (media, propaganda, studies, social, etc).
To change culture you need to bring open people into a new established culture — or..
You need a journey of 10,000 smaller ‘truths’ that you lead people on a journey of acceptance to assimilate them. Some adopt sooner than others.
Governments and media - and more recently ’social groups/media’ - have learned this. It’s why history can be rewritten, maps changed, schools curriculum updated, people can believe they will die from something that is statically very rare, and this time will be different or better.. that ‘they’ (in power) learned a lesson or something; or worse, know what they are doing.
The risk of technology is always abuse. And the role of government is to remain in power at all costs.
Control culture and you control the near-term future.
