Damus

Recent Notes

Bass · 107w
So, I take it your goal is to exploit vulnerabilities so as to bring awareness of willful carelessness in privacy/security choices?
The Daniel ๐Ÿ–– · 103w
Did you leave us?
The Fishcake (nostr.build) · 108w
I keep telling that we should revive it ๐Ÿถ๐Ÿพ๐Ÿ˜ญ๐Ÿ˜ญ๐Ÿ˜ญ
nostrich · 108w
Erm.. what about share hot key? Or disposable one? So that we can have multiple individual manage single account.
note1sxlzf...
Ostrich McAwesome profile picture
A note about public transportation: Exploit that time! The best part about not driving is doing something else while you travel. Bring a book and read. Bring a laptop and code. Don't just sit and look at the window (unless that's what you want to do).

This whole account was conceived on buses and trains.
nostrich · 108w
It's not that. https://image.nostr.build/3f01be6876dcff45dce98678abcfada4bce7a92cbdba2d8ae4ebf3ea0d11464b.jpg It's that I forgot to take out the zero. Apparently it does work ๐Ÿ‘
Enki · 108w
Lmao.
nostrich · 108w
nice idea but not working in my case 185.246.188.067 is a cloudflare ip
mrecheese ๐Ÿง€ · 108w
This is interesting. In Amethyst I see what I assume is my Tor exit IP. I'm definitely not in Luxembourg. Using nostrudel.ninja on the PC, I only see the letters. No IP at all. Also of note, I am NOT loading images by default in Amethyst and this shows up anyway. nostr:npub1gcxzte5zlkncx26j68ez60f...
Ostrich McAwesome profile picture
This is entirely hypothetical, but if somebody managed to leak a large number of nsecs, the funniest possible thing to do with them would be to shuffle them and then DM them back to everyone affected and watch who takes liberties with the key they received. Then post a list of who got who's key and let the drama unfold.
4โค๏ธ3๐Ÿ˜‚1๐Ÿซ‚1
SovereigntyQuest · 108w
๐Ÿ‘€ ๐Ÿซก
Downloadables · 108w
A
nostrich · 108w
Thatโ€™s mean lol
Skipper · 108w
nostr:npub1sn0rtcjcf543gj4wsg7fa59s700d5ztys5ctj0g69g2x6802npjqhjjtws (and Iris) client have a default option called 'Image proxy service' which I believe solves the issue, right? nostr:npub1wq6n8skpd...
Ostrich McAwesome profile picture
The real issue is inconsistency. Different clients have different ways of trying to protect you from the same features, all of which are implemented differently.

Also, using an image proxy may protect you from leaking your IP, but as I have mentioned previously, this would now mean that URLs from your end-to-end encrypted messages would be decrypted and sent to the proxy, damaging your privacy in a different way.

Ultimately, my take on Nostr web clients is that if you're using any other browser than Tor Browser, you're doing it wrong.
โค๏ธ1๐Ÿธ1๐Ÿ‘Š1๐Ÿซ‚1
Pepe NOSTRos · 108w
Sucks but gotta embrace the suck. Part of the process when growing fast. Lots of ideas being tested at once and over time we will see a normalized distribution of features centered around some broad appeal features. It'll come. Just let the devs cook bro. We are moving faster than we have any right...
Mazin · 108w
Every few months one of these self proclaimed hacktivists comes to point out nostr shortcomings in some malicious and uncreative way. So far none of them that Iโ€™ve come across has actually pointed...
Ostrich McAwesome profile picture
I'm not going to pretend that what I did wasn't trivial. It was.

But if this trick is so uncreative and unoriginal, why hasn't this attack vector been resolved yet?

If nobody has a reason to fix this, I'll give them a reason.
1โค๏ธ1
Mazin · 108w
What is there to fix in the nostr protocol? If a particular client is loading images from unknown recipients, thatโ€™s an implementation choice. If you have a problem with it or think it should be done differently, you can open an issue in their repo or write a PR and contribute to a solution. Or,...
mrecheese ๐Ÿง€ · 108w
Okay, so this is not some complex hacker thing. VPN or Tor solves it easily. I would've hoped you'd be getting nothing but exit nodes in 2024, but alas...
cryptowolf · 108w
please tell me who i am lol I will click any link you provide and open it with tor browser ๐Ÿ˜‰
elsat · 108w
1) Agree on the anime p*rn being an eyesore for most. Certain relays have more than others. Agree protocol allows for this, and it is the tradeoff of censorship resistance. I see onboarding as the ini...
Ostrich McAwesome profile picture
One fundamental flaw I see with this idea is that if you are addressing the method in which I gathered these IPs (via DM), you would have to send decrypted URLs from a users end-to-end encrypted DMs to the image proxy, which endangers privacy in a new way because it revealed part of the message to the proxy. Now you have to trust the proxy with potential secrets.

Link Previews are also a vector for attack here, and it would be even worse to send all DM'd URLs through the proxy.

I also worry that image proxies could bloat the cost of running a client, are a form of centralization (this solution only benefits Damus users), and are a vector for DDoS/Abuse.