I think it's worth knowing that the cryptography in Nostr appears to be a wreck. Here's a paper from EuroS&P this year, also presented at Black Hat on the crypto track:
* The event protocol that drives the system doesn't authenticate public keys, so asymmetric signatures are performative: attackers that can intercept messages (Nostr servers, the presumed adversary of an E2EE messaging system) can just swap out keys and re-sign.
* Two major clients, the mobile phone Damus app and the web Iris app, don't even verify signatures to begin with.
* DMs in this system are unauthenticated CBC, so attackers can simply bitflip messages and events to say what they want.
* The apps do automatic link-preview, so they've managed to reconstitute the EFAIL attack: attackers can locate links within messages (they'll be revealed by SNI and DNS anyways) and then bitflip them to point to attacker-controlled servers, exposing both the URLs (which will often contain tokens) and, with a bit of extra work, the message itself (by tacking `?foo=` onto a URL).
* There's no key separation in the system, so you can trick users into running a subprotocol other than the messaging system, then establishing a session key, which will then be used for messaging.
These are really basic errors; this is mid-aughts-level cryptographic engineering. There are probably a variety of other reasons to use Nostr, but end-to-end security does not appear to be one of them.
jonstaab 31 seconds ago [-]
The criticisms are either implementation dependent (not checking signatures, which defeats the entire purpose of the protocol), or based on a very early proof of concept encryption scheme which has since been superseded (by NIP 44, which was independently audited). There's nothing substantial or actionable here (any more).
ursuscamp 2 hours ago [-]
So, I was part of the Nostr community for quite a while and was the author of a popular Nostr extension for Safari, before eventually giving up on Nostr for various reasons.
I haven't read that entire paper. Mainly, I skipped to the section you mention here:
> The event protocol that drives the system doesn't authenticate public keys, so asymmetric signatures are performative: attackers that can intercept messages (Nostr servers, the presumed adversary of an E2EE messaging system) can just swap out keys and re-sign.
I think you and the authors perhaps misunderstand the Nostr protocol. Nostr is, effectively, an identity system tied to a public key. The cryptography is sound. Your identity is your public key. When you request a user's profile, or their events, you request it specifically by their public key. That is unforgeable (assuming no bugs in the implementation, like what the authors found in Damus).
This does present UX issues that can manifest as security issues, such as "how can you verify that a user with a certain public is who they say they are instead of an impostor". That is a separate issue from whether the cryptography itself is sound.
tptacek 1 hours ago [-]
If you read the entire paper you'll see that the paper presents a formalized set of security goals that acknowledge Nostr uses public keys as identities. They haven't misunderstood the system. Meanwhile: the cryptography is obviously unsound: it relies on unauthenticated CBC, and signatures that aren't verified, and provides attackers with the ability to coerce users into following links.
jonstaab 3 minutes ago [-]
The cryptography was thrown together in the very early days as a proof of concept, that reached some level of adoption because of how nostr suddenly grew at the end of 2022. The community has since largely switched to a new standard (NIP 44) which has been independently audited, although there are some popular clients that haven't yet transitioned.
tptacek 16 seconds ago [-]
From a brief scan, NIPS 44 seems reasonable; it's just AEAD ChaCha20, which is boring, which is good.
sealeck 1 hours ago [-]
> how can you verify that a user with a certain public is who they say they are instead of an impostor
This sounds awfully much like a cryptography problem to me!
phaedrus30 56 minutes ago [-]
[dead]
Imustaskforhelp 2 hours ago [-]
why is this the first time that I came across these issues. Someone should talk about these issues asap.
What federated platform might be the more secure tho protocol wise, bluesky (at protocol) or fediverse
nout 49 minutes ago [-]
The paper seems to be referencing issues in client apps during early development of those apps that have since been fixed. So that's likely why it's not being talked about now.
jb55 2 hours ago [-]
> The event protocol that drives the system doesn't authenticate public keys, so asymmetric signatures are performative: attackers that can intercept messages (Nostr servers, the presumed adversary of an E2EE messaging system) can just swap out keys and re-sign.
This is completely nonsense, most clients do in fact check signatures. All relays do as well.
> Two major clients, the mobile phone Damus app and the web Iris app, don't even verify signatures to begin with.
Author of Damus here. this is an analysis of an old version. This has since been fixed. In the early days we connected to a fixed relay list of trusted relays. These relays verified signatures. This was just a pragmatic tradeoff thing until we had an optimized work queue for verifying notes (this lead to nostrdb, a custom embedded nostr database built on lmdb. it's a sqlite but for nostr https://github.com/damus-io/nostrdb)
> DMs in this system are unauthenticated CBC, so attackers can simply bitflip messages and events to say what they want.
not really true since the whole note is covered by a secp256k1 signature.
> The apps do automatic link-preview, so they've managed to reconstitute the EFAIL attack: attackers can locate links within messages (they'll be revealed by SNI and DNS anyways) and then bitflip them to point to attacker-controlled servers, exposing both the URLs (which will often contain tokens) and, with a bit of extra work, the message itself (by tacking `?foo=` onto a URL).
you can turn off these, you can turn off images as well. people should run a VPN of course if they are worried about these things.
akerl_ 36 minutes ago [-]
How does a VPN protect against flipping a URL to exfiltrate the message contents to an attacker-controlled server?
tptacek 1 hours ago [-]
I don't think you can say "this is complete nonsense" and "this has since been fixed" in the same comment. Also: don't use ECC signatures as MACs. Signatures are not MACs.
nout 52 minutes ago [-]
He says "this is complete nonsense" specifically about the statement quoted. Not about the whole report.
tptacek 35 minutes ago [-]
They're saying that about a concrete claim the paper makes that they concede in the next paragraph.
nout 3 minutes ago [-]
I don't want to speak for Will, but from my read he is specifically highlighting that "The event protocol that drives the system doesn't authenticate public keys" is the nonsense, because the protocol specifies that clients validate signatures on events using the public keys.
This makes sense in nostr, because anyone at any point can mint new public key and start posting events and other people are free to start following them, from which point they can ensure that the new events are coming from the person holding the same private key. And this is what relays and clients do.
fiatjaf 2 hours ago [-]
Unfortunately this paper doesn't live up to its goal of being a cheap attack on Nostr.
The fact is that clients do verify signatures from events received from servers, that is in the protocol specification and should be obvious to anyone mildly honest.
The entire assumption of the paper is that clients don't do that and it is void. Yes, they did find a couple of clients 2 years ago that didn't verify signatures -- so much for a vulnerability in the protocol. I guess they wanted Nostr to have a code police arresting client developers who didn't finish their implementation?
Aside from that the attacks they demonstrated depend on a bunch of other absurd circumstances (like you have to manually and voluntarily type the URL of the attacker server in order to be attacked) but it's not even worth talking about them since the basic assumption is so completely false already.
The encrypted messages stuff is not even a core part of Nostr anyway, Nostr is a broadcasting protocol for public or semi-public content. Encryption can be added on top and there are multiple ways and proposals for how to do it, including an implementation of MLS and other methods and I personally mostly do not care about any.
I wish the paper authors were more honest and republished their work with the title: "the dangers of trusting a cryptographic signature without verifying it", but I imagine that it would have been too obvious and worthless if it was phrased like that.
tptacek 1 hours ago [-]
They're academic cryptography researchers. They do not care what messaging system you use. This is what academic messaging cryptography papers look like; a paper like this is why Matrix transitioned (is transitioning?) from ad hoc cryptography to MLS.
lxe 1 hours ago [-]
Why can't these projects separate the use-cases from philosophies and from implementation when presenting them?
At first glance I don't understand what this is. Is it a social network? A protocol? "Pro-censorship? I need to read some blog article...
It's been like this with scuttlebutt/gossip, and rest of the alternative internet/fediverse with mastodont and activitypub and diaspora. Instead of asking questions like "How is this different than email? How does it compare to twitter?", I have to start with "What am I looking at? A technical implementation or a product? Is it a website or an app? What am I supposed to do with this?
There's also Urbit, which I'm sure not a single one of you can explain exactly what it is.
It's not as bad as "Web3", I'll give it that.
Bluesky got it right.
So did gemini to some extent.
dbushell 13 hours ago [-]
A big misconception I've seen is the assumption that Nostr relays are federated and share messages between one another. This is not how it works. So if you're building a "Twitter clone" the client app must search multiple relays and post to multiple relays. If clients are not using a relay in common they cannot see one another.
The end result is a bad experience for both user and developer. Using a single relay is centralised and defeats the point. Using multiple relays is slow and cumbersome and requires the user to know/care which relays they are connecting to.
When I played with Nostr a couple years ago the "NIPs" were already a complete mess. Later NIPs supersede earlier NIPs changing how clients are supposed to interpret messages. At least some are flagged as "unrecommended: deprecated" now.
vnuge 2 minutes ago [-]
Since relays don't own user generated content, there is no need to "federate" client's generally rely on user-selected relay sets. The user chooses where they want to read/write events to/from.
That said, many of the "larger" relays do store events from other relays (federation if you prefer). Primal does, TheForrest does, nostr.land and so on. Nostr.land specifically has a purpose of aggregating notes from many other public relays, with spam filtering. It's a paid relay built for that purpose. Don't want that, use someone else.
Most users get to see 99% of notes from the current relay federation now, but it's also impossible to check those metrics.
Certain clients and signers store notes privately so if a relay ever decides to censor your notes you just publish to a different relay if they don't have your notes already.
Chances are if you use ANY of the popular paid relay providers, your going to get warnings on 3/4 write events that the other relays _already_ have the note published to the first. It's usually that quick...
Finally, relays "federate" by acting as clients themselves. Most relay software available already offers this as an option, may use it as a local cache for when on mobile and network/wifi is slow. Their local relay slowly pulls notes from other relays (or outbox) and caches those notes for when they load their client up. It's cache and the client dev didn't even have to write that functionality, it was transparent.
Finally, other's mentioned outbox, which has it's own set of issues as well, but it doesn't matter because a client developer can choose to give the user the option if they want. Going from federated, to peer-to-peer which was the intention.
sebastix 11 hours ago [-]
Relays can federate. The point is that Nostr as a protocol is saying nothing about this and does not care either.
I'm running an indexer (a relay) which federates with other relay indexers. Similar how activitypub relays work. Any client can connect to indexer to help bootstrapping and find metadata around events. There are many ways to discover stuff from clients even without being connected to the same relay.
t1E9mE7JTRjf 13 hours ago [-]
This is a valid observation and hurdle of sorts. One to me, which is a fascinating problem to work on.
There are a few approaches to solve this. For instance NIP65, where one defines on their profile meta which relays they read/write to, giving clients the ability to discover all the right content. That's just one approach, and some are exploring other ideas. It seems like a very solvable problem anyway.
nunobrito 13 hours ago [-]
There are some messed up things on a few NIP because the technology evolved fast.
Most NIP are fine and continuously improved.
This is trivial to solve when there is there a periodic release of the NIP as done in other specs. So far there hasn't been much need for that formality, most developers understand quickly how to create tools on top of it.
hardran3 12 hours ago [-]
Most clients now support outbox, so you don't need a common relay. Users have inbox and outbox relays, and clients use these to retrieve and send notes.
6 hours ago [-]
causalitycone 13 hours ago [-]
Yep. There is no common model for message propagation, so there is no
“net force” or clear direction.
maxloh 13 hours ago [-]
It is somehow misleading to feature a Twitter clone on the front page when Mastodon is a better way to achieve that.
The protocol's real value lies in other use cases.
jasonvorhe 1 hours ago [-]
Mastodon merged their server-side recursive fetching of remote replies feature in the summer of this year so unless instance admins used 3rd party scripts to achieve that you couldn't rely on your reply actually being shown to the recipient. ActivityPub is complicated like that.
derangedHorse 9 hours ago [-]
Nostr’s UX on Primal is 10x better than Mastodon imo. I haven’t looked into how it works but every time I try an application with it, it’s been an unpleasant experience.
fiatjaf 10 hours ago [-]
That's a misconception: you don't "use" relays (in the sense that you don't have to have a static list of relays you always use), you write to relays. When reading you connect to the relays of whatever the people you want to read from.
Some apps indeed use this method of selecting a static set of relays, and if that was the protocol you would be correct about centralization or bloat, but this is legacy from a naïve unfinished early implementation, most apps do the correct thing now and the rest is transitioning.
rgreeko42 3 hours ago [-]
My "apolitical" shirt has people asking a lot of questions already answered by my shirt. What an odd word to use in the first sentence of your product description, which also includes the word "open", an inherently political concept in this context.
Did/does Nostr have some cryptocurrency connection or am I thinking of something else?
itslennysfault 2 hours ago [-]
They explicitly don't have a "nostr coin" or do anything "on chain" which I applaud them for especially since the Venn Diagram of Nostr and the crypto community is basically a circle.
skeptrune 3 hours ago [-]
yeah, lots of bitcoiners
Retinal7467 2 hours ago [-]
Right wingers have a long history of calling themselves apolitical.
BinaryIgor 3 hours ago [-]
I've revisited this idea/protocol a few times and still have my doubts:
* is there even a need for it? I would say that most people are quite happy with centralized platforms; I don't see it changing anytime soon (why?)
* wouldn't we end up in the centralized world anyways? Even though there could be multiple NOSTR clients and relays, we all know how network effect works - people will flock to a single or a few best ones; does it really change the situation that we have today - a few centralized platforms?
* I don't see clear incentives in this protocol that would improve current social media landscape - granted that I don't particularly like current ads/sell your attention model
I am not sure that having a protocol like this is better that having a few centralized platforms - today's situation. Not to even mention technical challenges and worse user experience that NOSTR brings
jasonvorhe 3 hours ago [-]
It's quite common for people with rather controversial topics to have backup accounts listed in their bio because centralized platforms are so prone to deplatforming people. If that's acceptable to you, then nostr probably isn't for you. I prefer not to beg anyone for permission to publish my opinions on the internet.
BinaryIgor 2 hours ago [-]
Why not to have a website then? That's the only thing that where the content is truly Yours.
In NOSTR, even though yes there is more than one relay, but you still need their permission to publish; and yes, you can run your own relay - but you might host your own website too - no need for new apps and protocols to do this
nout 42 minutes ago [-]
The difference is that on nostr you can have immediate interactions with others, you can get their comments, you can message with them, etc.
In your example you can think about nostr as a protocol on top of "your own websites" that allows all people with "your own website" to effectively communicate and live interact with each other. And creating "your own website" is just a matter of clicking a button in any nostr app that generates private key and public key pair.
I hope this demonstrates how a distributed social protocol can solve many use cases and the advantage to the end-user:
- do not get rugpulled by (VC backed) companies that own your data
- receive zaps/money by contributing
- data is truely available to everyone (but signed by author)
BinaryIgor 3 hours ago [-]
There are also tradeoffs:
* relays can just go away - you don't have your data then
* there is both user-friendly and secure way of managing your private keys; additionally, once your keys are gone, your identity is gone - there is no "I forgot my password" procedure
numpad0 12 hours ago [-]
My back-burner idea: the equivalents of Nostr relays, Mastodon instances, Discord servers, etc. needs to be self-hostable in client apps for decentralized social media to work.
Not only classical P2P software did exactly this, it worked/works beautifully. The only reason classical P2P software did not work and did not replace WWW as application was because of piracy prosecutions that makes users responsible for hosting data with unknown content that would be later revealed to users to have been pirated content that the user would be criminally responsible a la illegal substances through airport checkpoints.
That's bad - both the fact that users' passive actions are incriminating, and substances too. So the next-gen P2P would have to have plausible logging content filters such as AI-based CP and Hollywood detectors that would stop relaying of such content so that users can defend themselves in criminal courts. Or the systems could also be in-circle specific so nothing of value is lost if everyone in a terrorist group would be prosecuted together, though I imagine that could hamper network growth.
But fundamentally, I think the model has to be that all clients are also servers. That's the best way to decentralize a social media.
woile 11 hours ago [-]
I think this is how iroh works. They have "relays" which are servers that help establish a connection between 2 clients if necessary.
This is cool but P2P doesn't work. Iroh also relies on "relays" in a sense. Nostr makes that explicit and gives relays identities so they can freely enact policies instead of having to hack that in weird ways.
philip1209 1 hours ago [-]
The issue with all of these open social protocol is that they fail to grasp that they are built for entertainment, and hence the modulated emotional reactions are a feature not a bug.
TJTorola 30 minutes ago [-]
Existing social platforms are built for profit, which modulates emotion for engagement (something kind of like entertainment, but I wouldn't say I'm entertained exactly by the rage bait I'm often fed by algorithms). Users of an open protocol might select for the same experience, or they might not, I think that's yet to be seen. This also assumes that this fantasy open protocol could also escape the pressures of maximizing profit.
littlecranky67 13 hours ago [-]
Glad to see Nostr on top of HN. It is in its infancy, but Nostr allows for "zapps" (basically sending instant micropayments via bitcoin-lightning) - so instead of using ads and dubious algorithms, you can show your appreciation to content creators by small payments. This is a model for an ad-free, decentralized social media system.
stillsut 8 hours ago [-]
You can also earn zaps for pull requests working on Nostr clients.
And extremely centralized in the so-called Lightning version. Due to ridiculously absurd requirements of the Lightning layer (bidirectional channels on L1, locking funds in advance, solving NP-hard problem thousand times per second a scale etc.) everyone basically resorts to using very few centralized entities as a pseudo-bank, who issues virtual paper, IOUs, which which wallets trade on L2. Basically all negatives of the banks and all negatives of crypto-tokens combined, with no positive sides at all.
Karrot_Kream 5 hours ago [-]
Okay this was what I thought would happen. I looked into Lightning a few years ago and found the whole concept to be quite dense and not something that a "regular person" does. I don't have a strong opinion on the Bitcoiner vs Shitcoiner debate and have been happy to participate in BTC/BCH/XMR style chains, and the ETH/SOL/EVM-style chains as well. But I felt like Lightning ended up acting a lot like the Ethereum L2s with weaker guarantees.
enether 3 hours ago [-]
It's still pretty affordable and not-hard to run your own Lightning node; The pseudo-bank hosted wallets people use (e.g Wallet of Satoshi) is purely out of convenience.
The real lesson is that most people don't care enough about the underlying risks - they care about convenience.
Karrot_Kream 2 hours ago [-]
How much BTC do you need to run a node? And what are the failure modes if the node goes down or becomes network unreachable or something? I'm not trying to be critical, just curious myself what happens if I run a node. Would be happy for any resources you have on hand if that's too much for an HN comment.
phaedrus30 36 minutes ago [-]
[dead]
Karrot_Kream 13 hours ago [-]
Only for tax purposes in the US. If you're worried that your speech will be censored by the government (importantly: corporate social media can censor you on their platforms but can't censor your BTC usage in most developed countries), then declaring BTC for tax purposes is probably the least of your worries in most places.
littlecranky67 13 hours ago [-]
As far as I understand as a non-US citizen, the recent presidential bills anchor your (US citizen-) right to deal in bitcoin between private entities. So the "good" kind of regulation.
t1E9mE7JTRjf 13 hours ago [-]
There is a world outside of USA, and there is even a world within it too - where you can just do things.
anon1395 12 hours ago [-]
Why do you think i'm in the USA...? I am in the UK and it is impossible to buy bitcoin without regulations.
littlecranky67 11 hours ago [-]
With "impossible" you mean you can't use Tor Browser and fire up Robosats to buy Bitcoin via Revolut or Wise?
anon1395 10 hours ago [-]
What if I need to buy something on Coinbase Commerce?
nout 35 minutes ago [-]
That's like saying "what if I punch myself in the face, why does my face hurt?" Try different ways. Don't buy on Coinbase Commerce.
littlecranky67 10 hours ago [-]
What has that todo with anyhting? For Nostr you need bitcoin (lightning) and there is plenty of ways to acquire/buy it anywhere in the world. No need to limit yourself to coinbase.
P.S: anon1395 is likely a new, mere troll account. Well played.
sak5sk 11 hours ago [-]
You could just earn it on nostr...
t1E9mE7JTRjf 10 hours ago [-]
bingo
t1E9mE7JTRjf 10 hours ago [-]
I recommend hodlhodl.
nunobrito 13 hours ago [-]
Not everyone there is a bitcoin boomer. You'll find plenty of monero users and things that are a bit more serious than that.
littlecranky67 13 hours ago [-]
It is noteworthy that zapps are based on lightning (which is Layer-2 for bitcoin), and similar in privacy as monero (and instantaneous).
akimbostrawman 13 hours ago [-]
Lightning is not anywhere near as private as monero. It's a band aid at best. If it was actually private it would get banned and suppressed like monero.
Does lightning work now? A few years ago, I remember they had quite some difficulties. Maybe I should brush up my knowledge.
nunobrito 13 hours ago [-]
It is OK for small amounts like paying a coffee or a few cents.
Not reliable for larger values.
Karrot_Kream 13 hours ago [-]
What's the "meta" like to find payment channels? That's the thing I found weirdest with LN, I needed to find a channel with enough funding. I presume the custodial LN providers just have their own payment channels?
littlecranky67 9 hours ago [-]
There is a sweet spot between custodial and self-custodial wallets: "non-custodial" wallets like Phoenix Wallet or Electrum. You keys, your coins - but expect higher fees (which are still way less than CC providers or other payment processors). No need to manage channels yourself.
Karrot_Kream 5 hours ago [-]
Interesting, they manage channels for you and charge some fees? Makes sense, I'm not averse to paying for convenience.
digitalbase 11 hours ago [-]
It works but requires technical knowledge. I zap (on nostr) every day
And attention that Monero isn't the only privacy coin in town, but it is the one that is without doubt more attacked by governments due to its privacy. You don't see the same treatment for neither LN nor bitcoin, instead you see governments supporting it. There is a big difference.
littlecranky67 13 hours ago [-]
Your link is from 2022 - blinded paths are now here in lightning. Async- and trampoline payments are around the corner. The article is heavily outdated.
I am involved in Lightning and run my own node - it is pretty much private enough for all sorts of micro payments for content creators. Not private enough for organized crime to move large sums, agreed.
You also forget to mention the 51% attack monero recently suffered. Lightning is bitcoin based and way more resilient to that.
That 51% attack on Monero never happened, despite much noise and headlines saying initially otherwise. You can verify this for yourself.
littlecranky67 10 hours ago [-]
The paper does not state what you make it out to be (it sees theoretical privacy-lowering attacks, but not as you state it "lack of privacy"). Practical attacks are not even proven.
And it - too - does not look into trampoline payments. Trampoline payments are a new feature that are not yet in a BOLT standard, but tried and tested in beta and used i.e. by Phoenix Wallet or Electrum.
nunobrito 9 hours ago [-]
It isn't just "theoretical", those are feasible attack vectors.
Anyways thank you for mentioning Trampoline payments, I've learned something new.
littlecranky67 10 hours ago [-]
You do not even acknowledge that monero payments take minutes (plus waiting for X confirmations) up to hours to finally settle. Lightning payments are instantenous, and take seconds (!). While moneros privacy might be higher that lightning, it is completely unusuable as a web micro-payment network.
nunobrito 8 hours ago [-]
I don't think you ever used Monero because payments are settled in a few minutes and the user gets fast notification of incoming transaction.
So that point you raise is fake. However, if you want to pick a more realistic reason then complain about the fees which are still high when doing for example a payment of 5 cents and the fee will often also be 5 cents whereas it should be free.
Anyways, I'm not even a fan of Monero being used for that purpose. The conversation here was about privacy and the lack of it on some virtual coins.
littlecranky67 7 hours ago [-]
There is no point discussing with you, you twist every argument around - "...payments are settled in a few minutes and the user gets fast notification of incoming transaction." is not even contrary to what I wrote, you repeated my point. Minutes to clear a transaction vs. a second (sometimes a couple of seconds) is not even close to comparable. Anyway, I am out of this thread.
10 hours ago [-]
nonameiguess 13 hours ago [-]
I almost want to sign up now because I read comments like this and it sounds abhorrent and stupid, but then I go click explore on the actual page, and the first page of stuff I see is people actually making and selling real stuff. Sure, they take payment in Bitcoin, but they're selling ghee and cacao and there's a community of people interested in alternative schooling. It's not "I'll show you my diary and you pay me for it" that you're describing here. Real goods and services, not "content."
throwaway290 13 hours ago [-]
> > Glad to see Nostr on top of HN. It is in its infancy, but Nostr allows for "zapps"
Nostr has existed for at least 5 years. I remember people migrate there and promote it on Twitter during pandemic. Infancy?
littlecranky67 13 hours ago [-]
Not technology wise, and I was refering to zapps. I meant not many people have a connected lightning wallet to be able to send/receive zapps.
keiferski 13 hours ago [-]
Something I don’t quite get about these new social networks that are clearly aimed at technical people: my model of a truly decentralized social network is more like a network of privately hosted personal websites, à la the original web. Not yet another platform I need to make an account to interact on separately.
Have there been any attempts to make more of a “network” that incentivizes operating personal websites but adds a mechanism for typical social media features like chat, a feed, etc. in a centralized way? The only thing I can think of is RSS, and that is only a way to follow content publication.
jeroenhd 11 hours ago [-]
"Accounts" in this case are just a public/private key pair. You can host your own relay (and nobody will hear what you have to say unless they subscribe to it), but you can use the same public key ("account") on any nostr relay. You can broadcast your posts to all relays, or just some, or just your own, depending on how you feel.
You can, in theory, generate a new key for every post if you want to. The relays don't care.
This is something Mastodon etc. lacks (accounts are tied to servers, so you can't move your self-hosted Mastodon to your self-hosted Akkomo without keeping Mastodon running, and you can't move from one instance to another if your instance admin doesn't let you).
On the other hand, the complete lack of account recovery, even for sysadmins, is something many people will have an issue with.
BinaryIgor 3 hours ago [-]
Yes; and because your key is your identity, losing your key or having it stolen basically means that you have to start from scratch; there is no "I forgot my password" mechanism
t1E9mE7JTRjf 13 hours ago [-]
That's more or less how nostr works, except instead of websites there are notes (a generic type which can be anything - including website content), and instead of servers there are 'relays'.
keiferski 13 hours ago [-]
Yeah the more I read about it, the more it does sound somewhat similar to what I was proposing.
However, the copywriting there is not in this vein at all. IMO the metaphor of personal websites is a simple, universal one that most people can understand. Nostr seems unintelligible to anyone that isn't pretty technical.
nout 31 minutes ago [-]
Unfortunately there isn't a single good metaphor to use for novel thing like this. Some people would get the websites metaphor better, some people get twitter metaphor better, some people get "own your own keys" metaphor. People may be scared of doing their own websites and people have no idea what's involved in that... so help us find the right metaphors here :)
jb55 1 hours ago [-]
most nostr apps you can click a single button to create an account, since it just generates a keypair. no email verification, nothing. what is simpler than that?
you don't even need to know how to host something on a server, the relays do that for you.
t1E9mE7JTRjf 10 hours ago [-]
That's for sure how it is right now. A mix of early adopter techy types. In this case (nostr.com) it's just a website, and not actually apart of nostr. In the same way that weather.com isn't a spokesperson for the weather
andunie 10 hours ago [-]
Why do you say they're "clearly aimed at technical people"? Do you know the minds of people who created them?
keiferski 9 hours ago [-]
At least in the case of Nostr, the introduction text is definitely written for someone that understands tech vocab:
Nostr is an apolitical communication commons. A simple standard that defines a scalable architecture of clients and servers that can be used to spread information freely. Not controlled by any corporation or government, anyone can build on Nostr and anyone can use it.
CaptArmchair 12 hours ago [-]
This an interesting question. Forgive my meandering take on this.
We already have a mix of technologies to achieve that effect. Sort of. Simplified, you can host a personal website on shared hosting, a VPS, or wherever, at the same time chat via IRC or XMPP, and use RSS to create feeds to share tidbits about yourself. Nothing stops you from combining different programs and services to get that.
So, what are the problems you're actually trying to solve here?
Do you want to improve accessibility, that is: lower the bar for non-technical people to join feeds, publish their own thoughts, join group chats,...?
Do you want to improve discoverability across what we already have? Make it easier for everyone to serendipitous finding information? Like, search, recommendations, linking, pub/sub, and so on?
Do you want to solve sustainability? Developing models that also cover the expenses involved i.e. either covering the costs in maintaining tech, or redistributing the costs?
Do you want to solve governance, the issue of providing enough affordances to communities to moderate/govern themselves?
These are big questions, and once you try to solve them together, you'll have to make trade-offs, inevitably. Decentralizing everything sounds great, but that has an impact on discoverability, as well as accessibility. Not having another account sounds great, but that hides complex debates about online and offline, distributed identities.
Even more so, if you dig deeper, our approach these affordances is based on our values. And those can be very different depending on who you talk to. That's where things enter the murky, ambiguous teritory of sociology, culture, and so on where few absolute truths are offered.
That doesn't mean we should just accept throw up hands and accept the status quo, though. Talking in terms of a single "network" or a single "protocol" is too crude to approach these questions. The intrinsic value the Internet offers us, can be found in a handful foundational design principles like standardization, composition, openness,... which allow us to create many networks that host many diverse communities. Each to their own isn't a bad thing as it's too naive to think that there's a catch-all solution that caters to everyone's needs. Balkanization, such as it is, becomes really problematic if it erodes common beliefs we hold about a free, open and accessible digital global network.
Many "technical" people who are active in these niches like Mastodon, Nostr, the Fediverse, or even the Smolweb, do so because they are steeped in a particular (counter)culture that espouses the same values that also led to the birth of the early Internet. Cyberspace really is a marketplace of ideas first. Technologies are an expression of that.
jonstaab 7 hours ago [-]
Very thoughtful points. One thing about nostr is that it does tend to balkanize due to the technical architecture, allowing for different groups of people to use it in different ways (different relay policies, client features, filtering, etc). But the tradeoffs you list are real, and enforce real constraints (the biggest of which is bare keys as identifiers). Many of these constraints can be designed away, which keeps me optimistic. We've had 30 years of research and development into password management, but far less into end-user key management. Even if nostr itself has some fatal flaw, I think a lot of interesting ideas are coming out of it, just because it provides a very different set of affordances for digital spaces.
keiferski 10 hours ago [-]
Yeah, I mean I am not personally working on a project in this space, nor do I have any super-strong feelings about it.
It's more that I like personal websites, from both an ownership and creative perspective. And so I wish there were more approaches which attempted to incentivize that model without creating a complicated new protocol, platform, etc. That might involve making it easier to create and self-host websites, an opt-in directory of personal sites with chat + forums attached, or something else like that.
CaptArmchair 10 hours ago [-]
For what it's worth, pubnix - public accessible UNIX systems - were/are that to an extent. You'd get a free account on some shared system, you log in via a terminal, and you get access to all those things: gopher/gemini/web hosting, chat, bulletin boards,...
But shell access doesn't appeal to non-tech users. It's the difference between engineering the electricity in your own house to become self-sufficient, and just expecting to magically get power when you plug a device in the socket.
otabdeveloper4 13 hours ago [-]
> more like a network of privately hosted personal websites
Can't monetize that.
littlecranky67 13 hours ago [-]
You can zapp on nostr - lightning based payments. There were efforts to bring micro payments to the regular Web, but in the end it failed because in the traditional finance world, you can't just send 2cents to someone on the other side of the world - because intermediaeries will charge you 50cents of fees for that.
BlueTemplar 10 hours ago [-]
Pretty sure that the main reason Flattr (whether 1.0 or 2.0) failed, was because it wasn't backed by the Silicon Valley ?
littlecranky67 4 hours ago [-]
I think more due to subscription nature. You had to pay 10€ every month. With zaps I can send someone 1c or 1€ whenever I want.
keiferski 13 hours ago [-]
No, but maybe you can monetize the "connector" system.
Tepix 13 hours ago [-]
Even if you don't use Nostr as a microblogging social network, it can provide a useful layer. For example Trystero https://oxism.com/trystero (MIT licensed) can use it to establish P2P WebRTC connections without requiring a central server.
scirob 13 hours ago [-]
Thats cool I have been thinking of using nostr , Bittorrent DHT and Mastadon as a cencership resistant multi channel redundant broadcast beakon. All methods must go down before your nodes can't find each other anymore.
jchw 13 hours ago [-]
This is very interesting. In a similar vein, I was wondering a while ago if either Nostr or ATProto could potentially work as part of a peer-to-peer instant messaging system, specifically as a way to have persistent storage and offline messaging. (But using it to establish connections is pretty clever, too.)
vincnetas 13 hours ago [-]
wow this is amazing. was thinking about whipping something similar for my own project but glad that someone had same problem before. saved me some time.
thrownawaysz 13 hours ago [-]
>apolitical communication commons
Some people say that labeling yourself apolitical is 1, a polticial statement 2, a privilege itself which puts you into a certain socio-political position
vincnetas 13 hours ago [-]
whats up with people being afraid of being political. its your duty as citizen to be political. in ancient grece apolotical people were called "idiots". literally thats the origin of the word.
falcor84 12 hours ago [-]
Very interesting, but according to this well-referenced paragraph on Wikipedia, the use of that word was a bit more complex:
> It is certainly true that the Greeks valued civic participation and criticized non-participation. Thucydides quotes Pericles' Funeral Oration as saying: "[we] regard... him who takes no part in these [public] duties not as unambitious but as useless" ... However, neither he nor any other ancient author uses the word "idiot" to describe non-participants, or in a derogatory sense; its most common use was simply a private citizen or amateur as opposed to a government official, professional, or expert. The derogatory sense came centuries later, and was unrelated to the political meaning.
I think you miss the point. On Nostr because technology is apolitical, you can be anything you want - political or not. A draw for some is exactly that; if they've been de-platformed elsewhere for political views, on nostr that can't happen.
spiderfarmer 12 hours ago [-]
I have never truly seen anyone deplatformed over political views. In the end they were always deplatformed for a lack of decency.
This is authoritarian regime bread and butter. Create barriers that only right people can surmount, ban platforms where prominent opponents publish their media, block sources of income or just outright ban websites and newspapers and TG channels.
t1E9mE7JTRjf 9 hours ago [-]
what counts as decency is a political view
u8080 7 hours ago [-]
If everything is political, then nothing is political.
I believe that author(s) just don't want to participate in non-technical discussions around his creation.
Klaster_1 11 hours ago [-]
This is exactly what struck my eye. As someone from RU, I came to strongly identify "apolitical" with silent status quo supporters. Under an authoritarian regime, that means prosecuting people and lack of freedom of speech. Nostr? They'll just declare hosting a relay illegal and criminalize use, like they already did for other services.
nout 25 minutes ago [-]
I think the point is that nostr supports left wing, right wing, totalitarians, tankies, communists, lawyers, nazis, anarchists, javascript developers, liberals... everyone, without regards to their politics.
t1E9mE7JTRjf 13 hours ago [-]
I would interpret it as anyone is welcome. The only barrier to entry is an internet connection, and even that is needed for just part of your experience.
I'd guess it's context is the censorship seen in the last decade on most social media platforms.
goodpoint 13 hours ago [-]
> I would interpret it as anyone is welcome.
...which is a very much a political statement.
N-Krause 13 hours ago [-]
"Welcome" is in the eye of the beholder. Everyone can join, but I am sure as it is also with our real worldwide community, not everyone is welcome or is accepted equally.
But the point is, nostr does not intent to judge that. It happens automatically while communicating. Nostr is just the means to communicate.
t1E9mE7JTRjf 10 hours ago [-]
Welcome in this context means you can use it the same as anyone. There is no everyone, nostr is just tech.
t1E9mE7JTRjf 13 hours ago [-]
Is there a point you're making, or question?
AlecSchueler 13 hours ago [-]
> 2, a privilege itself which puts you into a certain socio-political position
And others say that we should use our positions of privilege to help others, which seems to apply in this case.
veeti 11 hours ago [-]
Those people can stick to their little Mastodon instances where they can play God.
krapp 6 hours ago [-]
>"those people"
Oh look I found the politics.
imiric 12 hours ago [-]
Software is inherently apolitical. Claiming otherwise would be like saying that a hammer or drill are political, which is absurd. Political views are placed on software depending on the author's beliefs, but it's perfectly valid to release software in the public domain without any restrictions or expectations.
krapp 7 hours ago [-]
>Software is inherently apolitical. Claiming otherwise would be like saying that a hammer or drill are political, which is absurd.
No one sells "apolitical hammers" or "apolitical drills." If one has to specify that software is apolitical, it isn't.
No software exists in a vacuum, even the license terms are a political statement. Certainly nostr was created as an expression of fiatjaf's specific political ideals, and those ideals will tend to attract certain political demographics, and repel others.
imiric 5 hours ago [-]
> If one has to specify that software is apolitical, it isn't.
That conclusion doesn't track. In a time when a lot of software has become politically charged, it's perfectly reasonable to specify when that isn't the case.
> No software exists in a vacuum, even the license terms are a political statement.
Software doesn't exist in a vacuum, but not all licenses are the same. There are many licenses that don't place any restrictions on how the software is used. There are others whose authors relinquish all control or ownership. You may see these as political statements, but that would be corrupting their meaning. It's like claiming that atheism is a religion...
Whatever beliefs the authors have does not taint the software at all, unless the software itself is political or they make some political commentary. Communities created around software are political, as societies always are, but the software itself is inert.
The bottom line is that the Nostr project welcomes anyone, regardless of their politics. That is worth mentioning. If it attracts a certain type of political ideology, that has to do with the people who find the software appealing, not with the software itself.
ioasuncvinvaer 39 minutes ago [-]
> If it attracts a certain type of political ideology, that has to do with the people who find the software appealing, not with the software itself.
Or they find that this is the only place their politics are accepted. A nazi bar is not better than any other bar.
goodpoint 13 hours ago [-]
Those people are right. Most of the time "apolitical" is used naively or to hide a political context.
shedside 13 hours ago [-]
"apolitical" and the hero image is literally someone taking a swipe at "government inefficiency"
TheAceOfHearts 14 hours ago [-]
Last time I tried navigating the Nostr ecosystem I found their Twitter-equivalent platform and it was full of people posting about cryptocurrencies and other topics that weren't of particular interest to me.
Are there any major figures of interest primarily participating on any Nostr platform? Or is there any kind of uniquely interesting content that is being primarily produced and shared on Nostr?
enether 3 hours ago [-]
It's inherently a chicken and egg problem. If HackerNews didn't exist and the Nostr community created it - it'd be filled with the same content.
Network effects are everything. The tech can be good but the product may not be - solely because of the network effect. Still - pretty good tech!
pndy 3 hours ago [-]
Two months ago I visited Primal by accident (which appears to be some Nostr instance) and the first impression I've got it's a platform for promoting crypto because streams were just about bitcoins all around
Last year one of users on mastodon I was casually talking to decided to move to Nostr - he claimed in his last posts that some features like pools and voting are locked behind payments there. Can someone shed some light on that? I couldn't find any info if that platform does contain paid features.
scellus 13 hours ago [-]
Same here. I like the idea, have tried the social-network side a couple of times, but my kind of content is missing or I can't find it.
https://bitchat.free now uses nostr for non-mesh contacts somehow, but I see no-one there either.
littlecranky67 14 hours ago [-]
Nostr doesn't have an "algorithm" that tries to find posts that you engage with. You should follow your own list of people, and then you will see their content. There are some clients trying to be more smart, though.
The "algorithm" in any social media is a blessing and a curse. Nostr shifts the responsibility of what to show to the clients.
TheAceOfHearts 13 hours ago [-]
Right, and I'm asking if there any interesting figures primarily using this platform to share interesting content because I don't know of any, and I didn't find any niches that were best served by this platform.
In the past, the way that I would typically get to know people online was either through niche topic-specific forums or IRC channels. Then eventually if we got to know each other well enough, we would connect on other platforms. The modern version of this seems to be Discord. These platforms are all topic focused, rather than being user-first.
Discoverability is important! And one of the limitations of search or tag based discoverability is that you're limited to finding things which you already know about. But it doesn't help you find new things that you don't know about! This doesn't mean that algorithmic discoverability is the only option, for example: you could find some way to map the user's interest spaces and search for unexplored or undiscovered nodes.
digitalbase 11 hours ago [-]
Discoverability is a huge challenge in any decentralized social protocol.
We've been talking a lot about this problem in nostr which can't be summarised in a quick HN comment but gathered some threads if you're really interested
Network effects are difficult to replicate. You need lots of users to get a few solid consistent "content" creators. You need even more users to get the content that YOU like. So, it just amounts to having more users. Some might say it's impossible to replicate some existing social platform like X, and that may be true - but at the end of the day, you can vote with your attention and can contribute in ways you would like your space to be, so if you like say... log cabin content, then you can create it yourself and start amassing a log cabin enthusiast audience who will then start sharing their passion for log cabins.
digitalbase 11 hours ago [-]
As a 1 year nostr user i can relate to this sentiment. Most conversations today are either about crypto or about (building) nostr.
My guess is that the better the network becomes the more that specific content will take a backseat
Quindecillion 13 hours ago [-]
It's still pretty niche. Built mostly for and by bitcoiners, but has potential as a new way of doing social media that isn't reliant on major tech companies.
iberator 13 hours ago [-]
How does it differ from the Freenet[1] project?
AFIK Freenet is the only truly resilient anonymous network that lasted +20 years without literally a single successful attack by the state actor.
It's like RAID over the internet over encryption with global replication of data. Amazing project for PHD thesis lol
Imagine it this way, freenet needs electricity and servers to keep running. NOSTR messages can be printed in paper (handwritten even) and you'd still be able to verify it belongs to a specific person.
Basically freenet builds a network for communication (roads) but NOSTR is only about messages (cars) and doesn't really care about which road is using.
There is no centralization because there is no coordination. There is not even knowledge of what can be happening elsewhere because these messages might not even be using internet to be shared (e.g. radio or paper messages)
On the other side this is what makes it so powerful. You can download the full set of text messages from someone into your disk, that disk be found centuries later and digital archaeologists could easily read the contents because it is plain text.
So it isn't competing against freenet, it will use it very happily when available as option.
benrutter 13 hours ago [-]
Hope this doesn't come accross as rhetorical, it's a genuine question!
Nostr users, how does this differ in your experience from Mastodon? At first glance it seems like the same idea but with the extra ingredient of blockchain, I'm not sure what this adds though, anonymity?
nout 22 minutes ago [-]
I was on mastodon, but the instance that was hosting my account got shut down, so I don't have my account anymore. That can't happen on Nostr. You need to make sure that you store your "private key" (sort of like password) safe.
nunobrito 13 hours ago [-]
First of all there is some confusion because blockchain doesn't play a role here.
You start by creating a pair of public/private keys. That is your "account" but is independent from everything else (e.g. not tied to any specific tool nor web service).
Then you create texts (notes) which are digitally signed with your private key. Using the public key anyone can verify it was you writing it and nobody else.
There is no blockchain in the process, these simple text messages get sent to a multiple number of relays (you can even host them yourself) and other people can read them very freely.
The main difference to mastodon is that exists no central server where someone registers an account and has the power to kick you out from the site (deplatform). This also solves the problem with the mastodon servers decides to stop the service and suddenly everything is gone.
On NOSTR your texts are your texts, and there are multiple copies everywhere (more than 1000 free relays at the momment).
benrutter 13 hours ago [-]
Ahhh, that's a helpful explanation, thanks!
So with Nostr - it's decentralised to the point that I'm (me the user) the individual point that's sending et, rather than Mastodon which is decentralised less such that there's multiple servers with many users.
nunobrito 13 hours ago [-]
That is correct. Plus, these are just plain text messages in the end of the day.
So you can always download and read them easily. I'm an old person from the forum days and was really annoying that whenever a forum would go down, all the useful posts and info shared over the years would disappear too. With this kind of mechanism, it is easier to rescue that data.
NOSTR isn't just about twitter-clones, it can basically be used to replicate blogs, forum and chat apps that exchange messges.
numpad0 13 hours ago [-]
Last time I checked(years ago), it was like Mastodon but there are only dozen servers, and posting once in standard clients post it on all servers. Everything is a tweet, and servers serve you contents based on what it remembers about you. The core principle is that bans and refusals by server operators are at best customary since users can receive the same information elsewhere, even transparently.
Though, they did happily filter Macau casino spams flooding the system, so I wouldn't be so sure. Workload of posting to and receiving from dozen servers was also not trivial when I was trying it out, and architecture changes to reduce duplicates and/or syncing databases across hosts were actively discussed. I guess those works were never completed judging by comments here?
jonstaab 7 hours ago [-]
It's very unlike mastodon in that server operators have minimal control over user identities and content. Spam control is still a work in progress, but has come a long way through web of trust and more responsible relay operation. I invite you to give it another try!
grumbel 13 hours ago [-]
The fundamental difference is that with Mastodon, or any Fediverse service, the server still has full control over the user. It's basically no different from regular Facebook or Twitter, just with some optional federation on top that can be switched off at any time (and often is).
On Nostr the server is just a dumb relay, it controls and owns nothing. User identities are proper public key pairs. If a relay goes evil, you can just use another one or use multiple at once to begin with, since the location of the messages is irrelevant, everything is held together by public keys.
irusensei 9 hours ago [-]
From my observation the federation is largely split between sides that don't like each other. The main block where the main instance lies is very trigger happy to block entire instances and if a server administrator doesn't follow the group think other server administrators will block you out of "lack of moderation". Account portability exists but requires that you be in good terms with the server admins. Which is fine. Their database and they do what they want but it felt like Reddit with less professional moderators.
On Nostr your account is your signature so there is no such thing as creating an account on someone else's database. You push to multiple relays where people can follow you so even if relay operators ban you there will always be some relay willing to host your stuff.
Others already pointed out there is no blockchain involved other than using the same secp256k1 as Bitcoin for signatures.
13 hours ago [-]
fiatjaf 10 hours ago [-]
There is no blockchain, only basic cryptographic signatures on each message. And users are not tied to any servers, they can read from multiple or write to multiple. They can (locally) aggregate data from many servers or connect to a specific server, same for publishing, it's very flexible and different clients choose to do it in different ways and expose different interfaces to users.
jrflowers 11 minutes ago [-]
I love this:
>Nostr doesn't subscribe to political ideals of "free speech"
Under a tag that says “pro-censorship”.
I think I could maybe (?) imagine what they’re trying to say there, but “a lack of censorship is political and the presence of censorship is apolitical” sounds like something a person would say after a humongous bong rip of salvia or sustaining a life-threatening amount of blood loss
SLWW 1 hours ago [-]
The most endearing thing about Nostr is that the User IDs are just the most concise, and shortest of all ActivityPub Compat. protocols.
mwkaufma 3 hours ago [-]
"apolitical communication commons"
So, for center-right users.
dlivingston 23 minutes ago [-]
where does this idea that apolitical = right-leaning come from?
AlOwain 2 hours ago [-]
I believe that their intention was closer to "regardless of your personal political beliefs"; not "average of political beliefs".
r721 11 hours ago [-]
I still don't understand how Nostr would behave in this hypothetical scenario - a bad actor creates 100k key pairs (via residential proxies) and posts 10 LLM-generated replies to each new post. Who would fight with that wave of spam exactly and how?
digitalbase 11 hours ago [-]
This is happening today.
The answer is trusted relays and Web of Trust
Long-time nostr user. My feeds are all spam free. Not to say there aren't any other problems :-)
r721 11 hours ago [-]
I guess it's easier with commercial spam when they have to advertise something, and that could be detected (website, product, etc)
But when it's just a new account with a few LLM-generated replies - how would trusted relay automatically detect the malicious intent?
fiatjaf 10 hours ago [-]
You only read from the relays you want, relays have all the tools in the world to reject spam, therefore the solution is just to have clients that help the user enforce selecting only what they deem as "safe" relays in order to read replies from.
dewey 13 hours ago [-]
I've tried to use it many times, through Damos on iOS, but it's littered with dead and abandoned projects and an alternative UI that worked one day, will just be gone later.
In the end the content I was seeing there was almost exclusively about Nostr and Crypto so it wasn't that interested to keep using it.
sak5sk 11 hours ago [-]
Yeah, it takes people to get good content worth paying attention to but if everyone says "it's dead" then it will remain dead. But if people voted with attention and said "yeah, it's kind of dead, but if I hang out here and my friends join, then it will be less dead and people will notice and also join..." You basically create the future you want.
dewey 11 hours ago [-]
That just describes any social network cold-start problem. If you want to solve that it needs to be really easy for regular users to join and contribute.
Example: Click "Join Nostr" on the nostr.com landing page and the first thing you see is "private" and "public" keys. Click next, you land on 4 example nostr clients. One is broken, the other one is filled with japanese content, the other one is a GitHub repository etc.
It's a cool project from a technical pov as the system is quite simple but you can not expect regular content to start popping up if the experience is only tailored towards motivated tech nerds.
I tried to improve that by making it easy to syndicate the content of Kirby (A blogging framework) to Nostr (https://github.com/dewey/kirby-posse/pull/9) but ran into many issues with how the various clients support and show images and lost interest along the way.
Ambolia 13 hours ago [-]
It would be cool if you could somehow form chains of trust with this, maybe even with links to other social media, where you could "follow other people that this guy has vetted". I want my social media censored and curated, but I want to choose my own censors and curators.
sak5sk 11 hours ago [-]
Nostr actually has web of trust (WoT) implementations. I think Coracle has this and some others. Nostur even lets you specify how far you want your web of trust to reach. Pretty cool stuff!
HuwFulcher 13 hours ago [-]
There is the concept of Data Vending Machines (DVMs) and curated follow lists now.
There’s also work on a Web of Trust in some clients that filters notes from people that don’t meet the WOT score. It’s essentially a weighted score based on who you follow and who they follow
The Nostr protocol as such does not look like a huge revelation. JSON, hashes, signatures, and that’s about it. JSON is not a cryptographer’s best friend, by the way.
Effectively, everything else is left to be implemented.
That probably explains try-everything-see-what-works approach to client apps?
t1E9mE7JTRjf 13 hours ago [-]
You're missing the point if you are evaluating it by looking at random facets like JSON and hashes.
Nostr is an interoperable data layer. Anyone can build on it, and users don't get locked in, since the data layer is separate from the apps (clients). It puts the onus on app developers to make a compelling experience, and not F over The (not their) users. This upending is imo what the revelation is.
Likewise, that everything is left to be implemented paints a picture of how developers can make it how they want. Like lego but you can design the bricks too. Cool.
gwd 11 hours ago [-]
Don't know much about Nostr, but wondered re the spam problem, if it would make sense to introduce the idea of proof-of-work for the identities? A quick search shows that the have optional PoW proposals for notes (i.e., individual posts), but I didn't see anything about PoW for identities.
People could spend $1, or $5, or $50 of compute for an identity, and others could use the cost of the identity as a filter. Having a $5 ID put on a blacklist would make poor behavior of any sort more costly.
Identity on nostr is just a public/private keypair.
You can enhance that identity by sending a kind0 (metadata) note with your name, bio, pictures. So i guess you're suggestion to add PoW for kind0 events which is covered by NIP13 too.
gwd 10 hours ago [-]
Right, so the general NIP13 could be used to define a "ID proof-of-work" note attached to an ID. You could add PoW notes after ID creation, or create new, more difficult notes if the original one turned out to be insufficient.
But although there's the technical components available to easily build such a thing, you're not aware of such a standard having been discussed, much less defined?
EDIT: To be clear, the idea for this would be a equivalent of the "blue check mark", but 1) you pay it yourself and 2) you can make it as cheap or expensive as you want.
fiatjaf 10 hours ago [-]
Yes, that makes sense and that can be used later by relays and clients in order to decide whether to store or display notes from identities. In fact that's a pretty good idea.
tempodox 7 hours ago [-]
> Nostr is an apolitical communication commons. A simple standard that […] can be used to spread information freely. Not controlled by any corporation or government …
One could argue that this is a deeply political thing, just not one that the usual suspects would care for. +1.
Karrot_Kream 13 hours ago [-]
There's also Stacker News which is centralized like Reddit or HN but uses BTC micropayments over Lightning in lieu of upvotes. It's a lot slower than HN but so far the SNR is a lot higher. It's also a bit dominated by Bitcoin content (much like some Nostr stuff.) Whether that's just a function of size or not is yet to be seen.
seymon 13 hours ago [-]
Is there any concept of private key rotation or something else? In case a client with a nostr key on it got compromised or something similar? With a traditional password passed logins I would just set a new password from another machine. Regeneration of a new nostr key would mean it's a new account isn't it?
But it's still early and not all clients support it.
christoph123 14 hours ago [-]
What's a good place to get started? Any favorite apps from these? https://nostrapps.com/
nunobrito 13 hours ago [-]
https://yakihonne.com/ tends to be a good experience for browser and has apps, after that https://primal.net is also quite good as introduction since their UI is similar to what you are used in other platforms.
Then there is https://www.amethyst.social/ which is excellent because it brings out more of the potential of the platform.
hardran3 12 hours ago [-]
Both good choices. Amethyst is a great choice for Android.
Jumble.social is a good web client.
cropcirclbureau 7 hours ago [-]
Word of warning: was blasted with NSFW on the first page of that link.
nunobrito 1 hours ago [-]
No you didn't. Please stop the FUD.
You and your 3 friends tend to do the same every time NOSTR is mentioned just because you use another platform. Please be honest and admit the affiliation.
digitalbase 11 hours ago [-]
I send this video to people a lot when they ask me to learn about nostr
Damus was one of the first apps and is pretty good.
Lots of people also like Primal. It's well polished and replicates Twitter/X reasonably well.
Arathorn 13 hours ago [-]
> "An open protocol with a chance of working"
One of the most depressing things about the decentralised protocol space is the adversarial attitude to other projects - whether that's Nostr v. ActivityPub v. ATproto v Nostr, XMPP v. Matrix v. IRCv3 v. Deltachat, etc.
Imagine if the energy spent on positioning yourself relative to other open-source projects (who should be fellow travellers, if anything) was instead invested into competing with the centralised proprietary incumbents instead.
The same applies to open source as a whole, but it's depressing to see the same vibes leach into the literal tagline of the project.
rollcat 11 hours ago [-]
Doesn't help that all of the major decentralized protocols have been very effectively undermined and pushed aside.
GTalk first de-federated (weakening XMPP as a whole), then killed XMPP support completely. Reader effectively killed RSS for casual users. Email has been swallowed whole by the oligopoly of GMail+Yahoo+Outlook+iCloud+etc; spam is a real problem, so if you're self-hosting your email, you kinda expect to be blocked by default by the large networks.
Existing, corporate-backed efforts are "open-washing" their services.
Signal is supposed to be using an open protocol, but IIRC won't even let you join their network if you use an alt client.
Following Twitter's demise, Bluesky popped up, and promised federation. I didn't check in a while - did it happen yet?
Actually open networks? Mastodon took off like crazy, but everyone tried to register on the "main", biggest instance - we got bamboozled so hard, we can't even comprehend what "decentralized" is actually supposed to mean.
I don't understand. Can someone explain it to me from a technical/IT perspective? Is it like HTTP or JSON, or like XMPP...?
"An open protocol with a chance of working" = ?huh?
"Nostr doesn't subscribe to political ideals of "free speech"" = ???huh?
"BEEP BOOP" ???wtf??
Please don't explain technical things as if you were talking to children. Explain them as if you were talking to a colleague sitting next to you. Talk to them as a person and as a professional.
N-Krause 13 hours ago [-]
It is a standard of how one thing talks to another thing. It is JSON with some fingerprinting/hashing send over Websocket. Thats basically it. What you do with it, remains up to your implementation.
Thank you! Exactly this "It is JSON with some fingerprinting/hashing send over Websocket" should be write there somewhere + put a link to the documentation and an example of how to use it. I don't want to watch an hour-long video.
littlecranky67 13 hours ago [-]
Nostr is decentrialized, working with public/private keys. there is a very basic message format, messages are sent to "relays" that forward and store messages to other relays. It is up to the relays (anybody can be a relay) to connect to each others, chose a policy what/whose content to forward, whom to grant access, and how long to store and re-broadcast messages.
If you are familiar with the IRC chat system, it is similar to IRC but with JSON messages and the ability to store & resend messages on the servers. Servers have to connect to each other and are free to each have their own policies.
nunobrito 13 hours ago [-]
It is basically email on steroids.
You write an email (note/message) but instead of sending it to one server, you can send it to multiple servers of your choice. Each message is digitally signed with your keys and a time stamp, so you can verify that the identity is truly yours no matter where the message came from.
In my opinion is the most innovative way of communicating that I've seen in the last 20 years. There is no concept of server nor permanent location.
A relay can refuse to receive your messages, but they can't block your account because you can always write new notes, sign them and send to wherever people want to read your texts.
Imagine the case with Trump when he got blocked from Twitter. With a click of a button they have deplatformed him, with NOSTR he would have just continued writing and people would simply tune to another relay to keep reading his texts.
On top of that are other good developments. For example, file sharing also became decentralized. So files, images and other media can be sent to the relays and you mention them from the notes based on the file hash which is good save content when someone else hosting your texts and media decides to stop hosting.
Those phrases you mentioned do not sound like they were addressed to children, and they have more text afterwards that expand on them.
Maybe you could explain what they're lacking?
logicchains 13 hours ago [-]
One potential positive of the recent censorship and deplatforming targeting the left is that it may accelerate the development of censorship-resistant platforms like Nostr, given the left has far more technologists than the right.
staticelf 14 hours ago [-]
I like the idea of nostr but when I tried to use it it was a lot of CP which made me instantly stop using it. I guess the issue with this type of protocols is that there must be a way to prevent these very dark and illegal content.
As a user I don't want to see it and the submitter should be found and jailed for distributing it. Right now, it's hard to know where it even comes from since it can come from any of the relay you are connected to. Most apps do not show which relay the content originates from and honestly, what can you do?
I guess one solution is to only use paid relayes or heavily restricted ones that require invitation. But if that is the case, it kind of defeats the purpose of Nostr to begin with IMO.
jasonvorhe 2 hours ago [-]
It's a more censorship resistant platform, of course it'll see some spam. If this happens, you'll see lots of outrage, people see it as a way to test out and improve WoT.
The content (images, videos) itself is often quickly removed by blossom/media relay runners, especially if people report it and once they're cleared the spam notes are basically worthless to anyone because they're just dead links and spammy/abusive hashtags. Due to the hashtags is still quite easy to purge them.
I run my own relay and self reported it whenever one of these notes or uploads hit my systems. I built a quick shell script using AI to take care of almost all of that.
nunobrito 14 hours ago [-]
That statement is wrong at best scenario and fake at worst.
I'm a long time user of NOSTR. When you enter the network through any of the main clients you will only see curated topics (trending). The WoT assures that the best content comes up.
stonogo 14 hours ago [-]
I had almost exactly the same experience and lost interest for the same reason. Am I wrong or fake?
Geep5 14 hours ago [-]
Same experience here, im still trying to but that's tough to get past.
nunobrito 14 hours ago [-]
Either of them. I can't even fathom how this would be your first time experience there, other people here on this topic confirm that it doesn't happen.
If you feel that is wrong, please describe the steps to replicate such situation.
stonogo 13 hours ago [-]
Happy to help.
Step 1: In 2023, notice a crypto spam post on Mastodon with a weird account name.
Step 2: Look up what could have made that post, which was bridged from some other service.
Step 3: Set up a key, grab a client (I used a web client that deployed to Netlify's free tier).
Step 4: Follow some howtos, add relays, follow some accounts that repeat other accounts, try to figure out how discovery works.
Step 5: Start seeing really disturbing content.
Step 6: Delete all this stuff, and write it off in the same bucket as Freenet.
Step 7: Wait some years.
Step 8: Get called a liar on a web forum.
t1E9mE7JTRjf 13 hours ago [-]
What relays were you on? I have never seen CP on nostr.
Did you start off following the crypto spammer mentioned or that was just what caused you to find nostr?
I'd be curious how you built your initial follow list, as that and the relays you were on is the source of what you see. Kind of like if you go to weird ass websites you'll see that content, but nostr itself doesn't expose anything to a user, it's only a network for content read/write.
stonogo 4 hours ago [-]
I did not keep detailed notes, but there were a couple Gists and a couple blogs that listed relays and stuff to follow. I'm perfectly willing to accept that there was bad stuff in thoses lists, but I don't really care about the mechanisms behind it. Easier just to move on.
Heck, you can even install NOSTR clients directly from the App and Play store since years.
It is very unbelievable that you followed such a complicated process, even went to effort of deploying to a server (what?!?) and then somehow you see disturbing content without looking explicitly for it.
In case you are sincere, try it again using any of the common methods.
stonogo 4 hours ago [-]
It was years back and I didn't even care enough at the time to take notes on the process. I typed up the how-to partly as a joke because I found it funny some rando was demanding a detailed reproducer for an afternoon of screwing around ages ago.
I did find the client I used; it was called "branle". I'm not in the habit of installing random shit on my iphone, thanks. Deploying things to Netlify is super easy, especially when the software is designed for it explicitly.
I will not be trying again, because as I said elsewhere in the thread, I don't actually care about nostr. Bluesky is working fine for me these days, and in the event that stops being the case, I won't be revisiting the one I already wrote off.
throwaway290 13 hours ago [-]
Do you really think somebody would try out a new platform 2 years ago, immediately drop it due to shady stuff and remember all the non trivial steps involved in this process?
> you can even install NOSTR clients directly from the App and Play store since years
Since feb 2023, apparently;)
nunobrito 12 hours ago [-]
He just detailed a very weird and vague way that is unbelievable.
I'm a user since January 2023, there were plenty of well-known web clients already available back at that time (e.g. coracle, amethyst, etc). You enter the clients, there is a WoT by default and shows the most proeminent conversations typically.
My experience was never as the one he describes. Not even at the beginning, as you can see for many others here on this same publication. Those few (3?) cases mentioning otherwise will never provide real details for their claims.
jazzyjackson 2 hours ago [-]
I know if I encountered CP on a burgeoning social network the first thing I would do is go on my blog and detail the steps to reproduce.
throwaway290 12 hours ago [-]
it is possible if it is a protocol not a platform. Like there can be illegal stuff over http, there can be illegal stuff over nostr and a normal person can come across it. Actually way more likely on nostr because on web we have centralized https certs and dns which is used all the time to block cp and the like
It's funny when people first say "nostr is just a protocol and completely not subject to censorship" then "there is no way a new user would encounter bad stuff on nostr". pick one?
staticelf 11 hours ago [-]
Sweden has a website called "dumpen.se" which tricks and publishes pedophile that are trying to abuse children.
The leftist media hates this website because they are doing an effective job. They are calling them all kinds of things.
When people are effective in tracking or publishing about pedos, there are always a lot of people saying you are the problem, not the pedos. I wonder why. There are a lot of pedos out there (just look at dumpens work it's kinda obvious) and they are of course using services that are anonymized and decentralized like any other.
Usually they are also very active online and attack people that try to cut their illegal actions online. Just look at my original post, it is downvoted. I just wanted some kind of action towards cutting pedo content and it is frowned upon by these people.
jasonvorhe 2 hours ago [-]
I don't see what any of this has to do with nostr.
nunobrito 10 hours ago [-]
Very much unrelated to NOSTR which is a transparent network with a Web Of Trust enabled as default for users.
It is a grave and unfair accusation to associate NOSTR with such nefarious activities, that was the reason why so many protested against that labelling.
staticelf 12 hours ago [-]
What exactly is wrong about my statement? Stating that my experience is wrong is stupid.
I don't know how the app I used works. I simply used the "Snort" app, connected to a few relays and did not use it for a couple of months. Then I came back and instantly saw CP freely shared. Instantly removed the app from the phone.
You can't say that it don't exist when people like me have seen it with their own set of eyes. This only makes protocols/projects like nostr set to fail, since regular people won't fucking care and just think of the nostr as something pedophiles are using, which they would not be incorrect in thinking at this moment.
I was betting on nostr in the beginning, I was running my own relay and started on a nostr client. But I gave up since clients came popping up everywhere so I didn't really have time to compete.
numpad0 13 hours ago [-]
Yeah, when a layperson says $SOCIAL_MEDIA is full of child pornography, it often just means legal anime content that would be on advertisements everywhere in Tokyo, especially anime contents that are LESS explicitly sexualized.
This happens because Japan always has disproportionately massive online presence with significantly better democratized attention engineering, and so content selections naturally mimic a crossing at Akihabara(despite it almost has been entirely superseded by Chinese tech cultural centers such as Shenzhen), not the Times Square(in NYC), which infuriates a lot of somewhat vocal people.
And, the reason why I must bring this up is that it is not merely it is inaccurate labeling, but it is also counter productive to not face it straight on. Such as, people would move away from pornography, making it less actually pornographic, which is more child-pornographic by the standards of people using this term in this manner, because that is what are considered LESS sexualized contents by its producers, which by the way exist in orders of millions in Japan and leaking out fast into Asia at large.
TLDR. Hating anime, fine. Just don't call it CP. Your words sound opposite of intent. That's what brought us here. So stop.
staticelf 12 hours ago [-]
1. I am not a layperson. I used nostr while it was still under active development and when it only had a few NIPs finished.
2. I have been to Japan several times, I know the difference between anime/hentai/lolita and stuff like that. This is not what I was experiencing.
3. I have nothing against pornography in general.
The issue is that when people bring up shit like this, we are not taken seriously and this hurts projects like nostr. It will never reach momentum if no steps are taken to prevent illegal material and dark shit like CP.
Calling me a liar makes me believe that you are intentionally are downplaying the experiences I and others have, which is helping pedophiles and similar people share their illegal content freely and without consequences. Why I do not know and you should seriously think about it and stop.
numpad0 11 hours ago [-]
- The smaller group says they see TONS of $thing,
- the larger group says they see NONE of $thing,
- both are looking at the EXACT same thing.
-> The disagreement is in the definition of $thing.
It can't get clearer. How else would you explain it? Either you're lying(I guess not), or your definition is way off, or those secret underground organizations made some mistake and their secret Facebook group illegal content leaked out(no such thing on Nostr). By far the most likely scenario is that you're grouping from traffic cones to boxes of oranges to parrots in a forest into the exact same category of offensive contents by standards that nobody else could even understand.
jazzyjackson 3 hours ago [-]
Or maybe nostr is based on relays and no one user sees the whole network?
photios 14 hours ago [-]
That's quite the bold faced lie. I've been on nostr for years and it's been pretty friendly and never offensive.
staticelf 12 hours ago [-]
And.. why would I lie? I used nostr for a little while in the very early days. Stopped using it then came back and had this experience on a major nostr app.
You're lying about me lying.
BoorishBears 14 hours ago [-]
3 people have shared this experience in the thread.
Is there a fundamental reason this wouldn't be true? Isn't it a place where people can anonymously share multimedia with minimal moderation?
In my experience even the most toy application exposed to the wider internet will face this issue.
t1E9mE7JTRjf 13 hours ago [-]
What I would consider is that nostr doesn't show you content. The content you see is a function of:
1. The people you follow
2. The relays you read from
3. The clients (apps) you use
I can't think of any clients which surface weird stuff (I've never seen any on nostr).
I think to reach this situation a user must follow weird accounts and thus get their content - but then I can't see that as being nostr related, since someone could do that on the internet or other networks.
numpad0 13 hours ago [-]
It's euphemism for anime. Listening to these draw lines between porn and not-porn ever clearer, which users interpret that inside the line is free-for-all, and anime wins and obliterates everything even harder after the fix is implemented or strengthened.
These people come back fuming hot with more derogatory, still indirect, descriptions, and cycle repeats. This has been a "problem" for social media for almost as long as I've been online.
nunobrito 13 hours ago [-]
Everytime NOSTR is mentioned there are people from other networks coming here to spread FUD.
The best thing is asking them to provide steps for replicating their claims, which they won't since it is the not the common user experience at all.
numpad0 10 hours ago [-]
Yeah, they could say such and such handles are spreading content disgusting in such and such ways, e.g. "users like Sam Altman are posting astronauts riding horses on the Moon". They don't have to be so specific that exact contents would be actually accessible, only plausible. The mental imagery would not have to be precisely imaginable to disgusting details.
It's odd that they see "tons of" things that they can't describe beyond it belongs in the category, as if, just as if, actually characterizing it beyond making trust me remarks would lead to formation of broad consensus against them rather than against the contents.
0xAFFFF 13 hours ago [-]
Every time a crypto user faces criticism over their favorite technology they frame it as FUD. Quite a marvel of nature.
nunobrito 13 hours ago [-]
Not really. Cryptos are born out of criticism for current systems and they are an ever evolving technology fueled by those same critics.
What doesn't make sense is when the other party starts making stories just to tarnish other competing technologies. Just now the OP was asked to provide details to replicate his findings and those were indeed very "fuzzy" to say the least.
troupo 12 hours ago [-]
> Cryptos are born out of criticism for current systems
Nope. Most are born out of people not understanding how existing systems work and/or looking to get rich quick.
> an ever evolving technology fueled by those same critics.
No, it's mostly a self-perpetuating self-congratulatory hype machine busily re-inventing the systems they criticise
> What doesn't make sense is when the other party starts making stories just to tarnish other competing technologies.
What does make sense is the extremely fragile ego of crypto bros who can't stand any criticism towards their scams and hype, or the mention of any possible issues.
nunobrito 10 hours ago [-]
All of that is correct, albeit not the full picture.
Crypto wasn't created as a "get rich quick". I say this because I was there since the early days and participated quite a bit on the related BBS. Back then you'd already make good money building bots for day trading on stocks, crypto was really about a type of currency that no government could touch.
Nowadays the large majority of users are desperate to make some money through pyramid schemes and pure speculation to "get rich quick" albeit they usually end up losing money. The small minority is doing what they've always done: looking at systems, criticizing systems and building their own solutions to those systems.
There is really good stuff being built. Not many do it, granted.
immibis 13 hours ago [-]
Everything I don't like is FUD.
hardran3 12 hours ago [-]
Anytime I see something that is NSFW it is from the fediverse bridge.
digitalbase 11 hours ago [-]
I think this is a real problem of "an open network". Disgusting people will find the network and abuse it.
> Relays have to become more whitelisted and less open, and clients have to implement outbox model and stop relying on 2 or 3 big relays, then we can just stop worrying about this.
sebastix 10 hours ago [-]
> I think this is a real problem of "an open network". Disgusting people will find the network and abuse it.
Question. Do you prefer open or closed networks? I'm sure you are aware that the internet is an open network.
the_real_cher 13 hours ago [-]
Its horrible but that kind of content means theres no censorship.
Its on the individual to block that kind of stuff.
nothankyou777 14 hours ago [-]
[dead]
camillomiller 14 hours ago [-]
I find open protocols the most naive endeavour in tech nowadays.
The reason why social media protocols work is because the incentive is to have them siloed, controlled, and artificially convincing people through algorithmic suggestions that posting what they had for lunch is somewhat interesting.
These protocols seem to think that people actually want an alternative to what Instagram, Facebook, X etc. give them. They don't, we all just want the comfort of our own little bubble and a constant feeling of perceived fame.
The rest, and all the talk about the protocol that underlines this is just fluff for nerds that will have zero impact in a society dominated by tech capital.
Do you wanna change social media? Try and find and effective way to bring them down.
internet_points 13 hours ago [-]
even nostr seems to want bubbles, under Why not just use Mastodon/Fediverse? they write:
> The most interesting feature of Mastodon is that by its nature it creates communities with shared values that grow in each of its servers. Or, should I say, that should be a feature if it actually worked like that. In fact these are not really communities, but a mashup of users that may share some interests among each other, but also have other interests and those other interests end up polluting the supposed "community" with things that do not interest the other users.
ie. they're complaining that federated communities are too diverse and multi-faceted, instead of being divided into nice little laser-focused grids of shared interests
jasonvorhe 2 hours ago [-]
I think you're misinterpreting this statement. I'm using nostr for more than a year and I can publish to any free relay I want to. On Mastodon your account is tied to a specific instance while on nostr you have a private/public key pair that's independent of any relay. There are some more focused/curated relays that have additional filters/rules or only allow certain people to publish (whitelisted public keys, often paid or invite only). I know of no mechanism on nostr that would force anyone to stick to certain topics or issues.
I think the point of the quote is that Mastodon tries to be both a topic-centered community platform as well as a "everything goes" public social network like Twitter/X but the federation aspect is not true decentralization because you can easily lose your social graph/reach if some instance admin doesn't like you or your own instance gets #fediblocked.
Quindecillion 13 hours ago [-]
Do you have any suggestions for an effective way to bring them down?
Perhaps building alternatives that can replace them on run in parallel is the best way to do that?
digitalbase 11 hours ago [-]
My approach for bringing them down is working on better systems/UX than what the closed-silos currently offer...And we have a long way to go.
But...Nostr (and other decentralised social media protocols) can offer things the existing platforms can not do: interoperability.
Imagine the people you follow to be the same from FB, to strava, to spotify...
Imagine the content (signed notes) you make are available on different clients/platforms
That UX, perhaps for use-cases and projects we can't imagine today will be so much better than what we have today. I've tasted a little bit of just that switching between my Nostr twitter-like client (Primal/Yakihonne) and the Podcast app (foundtain.fm). It blew my mind.
This opens use cases the existing platforms can only dream about.
camillomiller 12 hours ago [-]
Pushing for strict regulation that forces them to have disclaimers like cigarettes, and treating them officially like the public health disaster they are.
The free market, despite what the capitalistic religion leads you to think, is still not the only option.
sak5sk 12 hours ago [-]
People do want alternatives. Bluesky is a clear example of that. Nostr is clearly not as big, but it's a protocol.
jasonvorhe 2 hours ago [-]
It's way too easy to get banned on Bluesky and to my knowledge their promises of being decentralized are comparable to Telegram being E2E encrypted.
t1E9mE7JTRjf 13 hours ago [-]
> Do you wanna change social media? Try and find and effective way to bring them down.
That's basically the point of nostr.
the_real_cher 13 hours ago [-]
We need to both bring down these big companies and also have decentralized platforms ready for the outflux
immibis 13 hours ago [-]
I downvoted this because I don't like the way it makes me feel.
camillomiller 12 hours ago [-]
That is admitting that you downvoted against the exact rules of HN, but suit yourself :D
https://eprint.iacr.org/2025/1459.pdf
The vulnerabilities here are pretty :yikes:
* The event protocol that drives the system doesn't authenticate public keys, so asymmetric signatures are performative: attackers that can intercept messages (Nostr servers, the presumed adversary of an E2EE messaging system) can just swap out keys and re-sign.
* Two major clients, the mobile phone Damus app and the web Iris app, don't even verify signatures to begin with.
* DMs in this system are unauthenticated CBC, so attackers can simply bitflip messages and events to say what they want.
* The apps do automatic link-preview, so they've managed to reconstitute the EFAIL attack: attackers can locate links within messages (they'll be revealed by SNI and DNS anyways) and then bitflip them to point to attacker-controlled servers, exposing both the URLs (which will often contain tokens) and, with a bit of extra work, the message itself (by tacking `?foo=` onto a URL).
* There's no key separation in the system, so you can trick users into running a subprotocol other than the messaging system, then establishing a session key, which will then be used for messaging.
These are really basic errors; this is mid-aughts-level cryptographic engineering. There are probably a variety of other reasons to use Nostr, but end-to-end security does not appear to be one of them.
I haven't read that entire paper. Mainly, I skipped to the section you mention here:
> The event protocol that drives the system doesn't authenticate public keys, so asymmetric signatures are performative: attackers that can intercept messages (Nostr servers, the presumed adversary of an E2EE messaging system) can just swap out keys and re-sign.
I think you and the authors perhaps misunderstand the Nostr protocol. Nostr is, effectively, an identity system tied to a public key. The cryptography is sound. Your identity is your public key. When you request a user's profile, or their events, you request it specifically by their public key. That is unforgeable (assuming no bugs in the implementation, like what the authors found in Damus).
This does present UX issues that can manifest as security issues, such as "how can you verify that a user with a certain public is who they say they are instead of an impostor". That is a separate issue from whether the cryptography itself is sound.
This sounds awfully much like a cryptography problem to me!
This is completely nonsense, most clients do in fact check signatures. All relays do as well.
> Two major clients, the mobile phone Damus app and the web Iris app, don't even verify signatures to begin with.
Author of Damus here. this is an analysis of an old version. This has since been fixed. In the early days we connected to a fixed relay list of trusted relays. These relays verified signatures. This was just a pragmatic tradeoff thing until we had an optimized work queue for verifying notes (this lead to nostrdb, a custom embedded nostr database built on lmdb. it's a sqlite but for nostr https://github.com/damus-io/nostrdb)
> DMs in this system are unauthenticated CBC, so attackers can simply bitflip messages and events to say what they want.
not really true since the whole note is covered by a secp256k1 signature.
> The apps do automatic link-preview, so they've managed to reconstitute the EFAIL attack: attackers can locate links within messages (they'll be revealed by SNI and DNS anyways) and then bitflip them to point to attacker-controlled servers, exposing both the URLs (which will often contain tokens) and, with a bit of extra work, the message itself (by tacking `?foo=` onto a URL).
you can turn off these, you can turn off images as well. people should run a VPN of course if they are worried about these things.
This makes sense in nostr, because anyone at any point can mint new public key and start posting events and other people are free to start following them, from which point they can ensure that the new events are coming from the person holding the same private key. And this is what relays and clients do.
The fact is that clients do verify signatures from events received from servers, that is in the protocol specification and should be obvious to anyone mildly honest.
The entire assumption of the paper is that clients don't do that and it is void. Yes, they did find a couple of clients 2 years ago that didn't verify signatures -- so much for a vulnerability in the protocol. I guess they wanted Nostr to have a code police arresting client developers who didn't finish their implementation?
Aside from that the attacks they demonstrated depend on a bunch of other absurd circumstances (like you have to manually and voluntarily type the URL of the attacker server in order to be attacked) but it's not even worth talking about them since the basic assumption is so completely false already.
The encrypted messages stuff is not even a core part of Nostr anyway, Nostr is a broadcasting protocol for public or semi-public content. Encryption can be added on top and there are multiple ways and proposals for how to do it, including an implementation of MLS and other methods and I personally mostly do not care about any.
I wish the paper authors were more honest and republished their work with the title: "the dangers of trusting a cryptographic signature without verifying it", but I imagine that it would have been too obvious and worthless if it was phrased like that.
At first glance I don't understand what this is. Is it a social network? A protocol? "Pro-censorship? I need to read some blog article...
It's been like this with scuttlebutt/gossip, and rest of the alternative internet/fediverse with mastodont and activitypub and diaspora. Instead of asking questions like "How is this different than email? How does it compare to twitter?", I have to start with "What am I looking at? A technical implementation or a product? Is it a website or an app? What am I supposed to do with this?
There's also Urbit, which I'm sure not a single one of you can explain exactly what it is.
It's not as bad as "Web3", I'll give it that.
Bluesky got it right. So did gemini to some extent.
The end result is a bad experience for both user and developer. Using a single relay is centralised and defeats the point. Using multiple relays is slow and cumbersome and requires the user to know/care which relays they are connecting to.
When I played with Nostr a couple years ago the "NIPs" were already a complete mess. Later NIPs supersede earlier NIPs changing how clients are supposed to interpret messages. At least some are flagged as "unrecommended: deprecated" now.
That said, many of the "larger" relays do store events from other relays (federation if you prefer). Primal does, TheForrest does, nostr.land and so on. Nostr.land specifically has a purpose of aggregating notes from many other public relays, with spam filtering. It's a paid relay built for that purpose. Don't want that, use someone else.
Most users get to see 99% of notes from the current relay federation now, but it's also impossible to check those metrics.
Certain clients and signers store notes privately so if a relay ever decides to censor your notes you just publish to a different relay if they don't have your notes already.
Chances are if you use ANY of the popular paid relay providers, your going to get warnings on 3/4 write events that the other relays _already_ have the note published to the first. It's usually that quick...
Finally, relays "federate" by acting as clients themselves. Most relay software available already offers this as an option, may use it as a local cache for when on mobile and network/wifi is slow. Their local relay slowly pulls notes from other relays (or outbox) and caches those notes for when they load their client up. It's cache and the client dev didn't even have to write that functionality, it was transparent.
Finally, other's mentioned outbox, which has it's own set of issues as well, but it doesn't matter because a client developer can choose to give the user the option if they want. Going from federated, to peer-to-peer which was the intention.
I'm running an indexer (a relay) which federates with other relay indexers. Similar how activitypub relays work. Any client can connect to indexer to help bootstrapping and find metadata around events. There are many ways to discover stuff from clients even without being connected to the same relay.
Most NIP are fine and continuously improved.
This is trivial to solve when there is there a periodic release of the NIP as done in other specs. So far there hasn't been much need for that formality, most developers understand quickly how to create tools on top of it.
The protocol's real value lies in other use cases.
Some apps indeed use this method of selecting a static set of relays, and if that was the protocol you would be correct about centralization or bloat, but this is legacy from a naïve unfinished early implementation, most apps do the correct thing now and the rest is transitioning.
Did/does Nostr have some cryptocurrency connection or am I thinking of something else?
* is there even a need for it? I would say that most people are quite happy with centralized platforms; I don't see it changing anytime soon (why?)
* wouldn't we end up in the centralized world anyways? Even though there could be multiple NOSTR clients and relays, we all know how network effect works - people will flock to a single or a few best ones; does it really change the situation that we have today - a few centralized platforms?
* I don't see clear incentives in this protocol that would improve current social media landscape - granted that I don't particularly like current ads/sell your attention model
I am not sure that having a protocol like this is better that having a few centralized platforms - today's situation. Not to even mention technical challenges and worse user experience that NOSTR brings
In NOSTR, even though yes there is more than one relay, but you still need their permission to publish; and yes, you can run your own relay - but you might host your own website too - no need for new apps and protocols to do this
In your example you can think about nostr as a protocol on top of "your own websites" that allows all people with "your own website" to effectively communicate and live interact with each other. And creating "your own website" is just a matter of clicking a button in any nostr app that generates private key and public key pair.
https://asknostr.site/
I hope this demonstrates how a distributed social protocol can solve many use cases and the advantage to the end-user:
- do not get rugpulled by (VC backed) companies that own your data
- receive zaps/money by contributing
- data is truely available to everyone (but signed by author)
* relays can just go away - you don't have your data then
* there is both user-friendly and secure way of managing your private keys; additionally, once your keys are gone, your identity is gone - there is no "I forgot my password" procedure
Not only classical P2P software did exactly this, it worked/works beautifully. The only reason classical P2P software did not work and did not replace WWW as application was because of piracy prosecutions that makes users responsible for hosting data with unknown content that would be later revealed to users to have been pirated content that the user would be criminally responsible a la illegal substances through airport checkpoints.
That's bad - both the fact that users' passive actions are incriminating, and substances too. So the next-gen P2P would have to have plausible logging content filters such as AI-based CP and Hollywood detectors that would stop relaying of such content so that users can defend themselves in criminal courts. Or the systems could also be in-circle specific so nothing of value is lost if everyone in a terrorist group would be prosecuted together, though I imagine that could hamper network growth.
But fundamentally, I think the model has to be that all clients are also servers. That's the best way to decentralize a social media.
https://www.iroh.computer/docs/concepts/relay
We've been hosting some bounties like this one here: https://app.lightningbounties.com/issue/615dc5f7-ed91-4ecd-8...
The real lesson is that most people don't care enough about the underlying risks - they care about convenience.
P.S: anon1395 is likely a new, mere troll account. Well played.
Monero has other things working for it though, like the absence of liquidity issues you might face using Lightning.
Not reliable for larger values.
And attention that Monero isn't the only privacy coin in town, but it is the one that is without doubt more attacked by governments due to its privacy. You don't see the same treatment for neither LN nor bitcoin, instead you see governments supporting it. There is a big difference.
I am involved in Lightning and run my own node - it is pretty much private enough for all sorts of micro payments for content creators. Not private enough for organized crime to move large sums, agreed.
You also forget to mention the 51% attack monero recently suffered. Lightning is bitcoin based and way more resilient to that.
That 51% attack on Monero never happened, despite much noise and headlines saying initially otherwise. You can verify this for yourself.
And it - too - does not look into trampoline payments. Trampoline payments are a new feature that are not yet in a BOLT standard, but tried and tested in beta and used i.e. by Phoenix Wallet or Electrum.
Anyways thank you for mentioning Trampoline payments, I've learned something new.
So that point you raise is fake. However, if you want to pick a more realistic reason then complain about the fees which are still high when doing for example a payment of 5 cents and the fee will often also be 5 cents whereas it should be free.
Anyways, I'm not even a fan of Monero being used for that purpose. The conversation here was about privacy and the lack of it on some virtual coins.
Nostr has existed for at least 5 years. I remember people migrate there and promote it on Twitter during pandemic. Infancy?
Have there been any attempts to make more of a “network” that incentivizes operating personal websites but adds a mechanism for typical social media features like chat, a feed, etc. in a centralized way? The only thing I can think of is RSS, and that is only a way to follow content publication.
You can, in theory, generate a new key for every post if you want to. The relays don't care.
This is something Mastodon etc. lacks (accounts are tied to servers, so you can't move your self-hosted Mastodon to your self-hosted Akkomo without keeping Mastodon running, and you can't move from one instance to another if your instance admin doesn't let you).
On the other hand, the complete lack of account recovery, even for sysadmins, is something many people will have an issue with.
However, the copywriting there is not in this vein at all. IMO the metaphor of personal websites is a simple, universal one that most people can understand. Nostr seems unintelligible to anyone that isn't pretty technical.
you don't even need to know how to host something on a server, the relays do that for you.
Nostr is an apolitical communication commons. A simple standard that defines a scalable architecture of clients and servers that can be used to spread information freely. Not controlled by any corporation or government, anyone can build on Nostr and anyone can use it.
We already have a mix of technologies to achieve that effect. Sort of. Simplified, you can host a personal website on shared hosting, a VPS, or wherever, at the same time chat via IRC or XMPP, and use RSS to create feeds to share tidbits about yourself. Nothing stops you from combining different programs and services to get that.
So, what are the problems you're actually trying to solve here?
Do you want to improve accessibility, that is: lower the bar for non-technical people to join feeds, publish their own thoughts, join group chats,...?
Do you want to improve discoverability across what we already have? Make it easier for everyone to serendipitous finding information? Like, search, recommendations, linking, pub/sub, and so on?
Do you want to solve sustainability? Developing models that also cover the expenses involved i.e. either covering the costs in maintaining tech, or redistributing the costs?
Do you want to solve governance, the issue of providing enough affordances to communities to moderate/govern themselves?
These are big questions, and once you try to solve them together, you'll have to make trade-offs, inevitably. Decentralizing everything sounds great, but that has an impact on discoverability, as well as accessibility. Not having another account sounds great, but that hides complex debates about online and offline, distributed identities.
Even more so, if you dig deeper, our approach these affordances is based on our values. And those can be very different depending on who you talk to. That's where things enter the murky, ambiguous teritory of sociology, culture, and so on where few absolute truths are offered.
That doesn't mean we should just accept throw up hands and accept the status quo, though. Talking in terms of a single "network" or a single "protocol" is too crude to approach these questions. The intrinsic value the Internet offers us, can be found in a handful foundational design principles like standardization, composition, openness,... which allow us to create many networks that host many diverse communities. Each to their own isn't a bad thing as it's too naive to think that there's a catch-all solution that caters to everyone's needs. Balkanization, such as it is, becomes really problematic if it erodes common beliefs we hold about a free, open and accessible digital global network.
Many "technical" people who are active in these niches like Mastodon, Nostr, the Fediverse, or even the Smolweb, do so because they are steeped in a particular (counter)culture that espouses the same values that also led to the birth of the early Internet. Cyberspace really is a marketplace of ideas first. Technologies are an expression of that.
It's more that I like personal websites, from both an ownership and creative perspective. And so I wish there were more approaches which attempted to incentivize that model without creating a complicated new protocol, platform, etc. That might involve making it easier to create and self-host websites, an opt-in directory of personal sites with chat + forums attached, or something else like that.
Some modern day examples include: https://tilde.town/, https://tilde.club/ and https://sdf.org/.
But shell access doesn't appeal to non-tech users. It's the difference between engineering the electricity in your own house to become self-sufficient, and just expecting to magically get power when you plug a device in the socket.
Can't monetize that.
Some people say that labeling yourself apolitical is 1, a polticial statement 2, a privilege itself which puts you into a certain socio-political position
> It is certainly true that the Greeks valued civic participation and criticized non-participation. Thucydides quotes Pericles' Funeral Oration as saying: "[we] regard... him who takes no part in these [public] duties not as unambitious but as useless" ... However, neither he nor any other ancient author uses the word "idiot" to describe non-participants, or in a derogatory sense; its most common use was simply a private citizen or amateur as opposed to a government official, professional, or expert. The derogatory sense came centuries later, and was unrelated to the political meaning.
https://en.wikipedia.org/wiki/Idiot
...which is a very much a political statement.
But the point is, nostr does not intent to judge that. It happens automatically while communicating. Nostr is just the means to communicate.
And others say that we should use our positions of privilege to help others, which seems to apply in this case.
Oh look I found the politics.
No one sells "apolitical hammers" or "apolitical drills." If one has to specify that software is apolitical, it isn't.
No software exists in a vacuum, even the license terms are a political statement. Certainly nostr was created as an expression of fiatjaf's specific political ideals, and those ideals will tend to attract certain political demographics, and repel others.
That conclusion doesn't track. In a time when a lot of software has become politically charged, it's perfectly reasonable to specify when that isn't the case.
> No software exists in a vacuum, even the license terms are a political statement.
Software doesn't exist in a vacuum, but not all licenses are the same. There are many licenses that don't place any restrictions on how the software is used. There are others whose authors relinquish all control or ownership. You may see these as political statements, but that would be corrupting their meaning. It's like claiming that atheism is a religion...
Whatever beliefs the authors have does not taint the software at all, unless the software itself is political or they make some political commentary. Communities created around software are political, as societies always are, but the software itself is inert.
The bottom line is that the Nostr project welcomes anyone, regardless of their politics. That is worth mentioning. If it attracts a certain type of political ideology, that has to do with the people who find the software appealing, not with the software itself.
Or they find that this is the only place their politics are accepted. A nazi bar is not better than any other bar.
Are there any major figures of interest primarily participating on any Nostr platform? Or is there any kind of uniquely interesting content that is being primarily produced and shared on Nostr?
Network effects are everything. The tech can be good but the product may not be - solely because of the network effect. Still - pretty good tech!
Last year one of users on mastodon I was casually talking to decided to move to Nostr - he claimed in his last posts that some features like pools and voting are locked behind payments there. Can someone shed some light on that? I couldn't find any info if that platform does contain paid features.
https://bitchat.free now uses nostr for non-mesh contacts somehow, but I see no-one there either.
The "algorithm" in any social media is a blessing and a curse. Nostr shifts the responsibility of what to show to the clients.
In the past, the way that I would typically get to know people online was either through niche topic-specific forums or IRC channels. Then eventually if we got to know each other well enough, we would connect on other platforms. The modern version of this seems to be Discord. These platforms are all topic focused, rather than being user-first.
Discoverability is important! And one of the limitations of search or tag based discoverability is that you're limited to finding things which you already know about. But it doesn't help you find new things that you don't know about! This doesn't mean that algorithmic discoverability is the only option, for example: you could find some way to map the user's interest spaces and search for unexplored or undiscovered nodes.
We've been talking a lot about this problem in nostr which can't be summarised in a quick HN comment but gathered some threads if you're really interested
https://asknostr.site/question/note1es989rjaccw82gpp705u462y... https://asknostr.site/question/note12dp9ewpngxejq8w9s6699k5z... https://asknostr.site/question/note1cp5cw366g7q9c2txvtrws0h7... https://asknostr.site/question/note1zqjk556quu6rvyetzvhdv7p3... https://asknostr.site/question/note1ss842g38wafwcfexd78gx0sc...
My guess is that the better the network becomes the more that specific content will take a backseat
AFIK Freenet is the only truly resilient anonymous network that lasted +20 years without literally a single successful attack by the state actor.
It's like RAID over the internet over encryption with global replication of data. Amazing project for PHD thesis lol
1: https://en.m.wikipedia.org/wiki/Hyphanet
Imagine it this way, freenet needs electricity and servers to keep running. NOSTR messages can be printed in paper (handwritten even) and you'd still be able to verify it belongs to a specific person.
Basically freenet builds a network for communication (roads) but NOSTR is only about messages (cars) and doesn't really care about which road is using.
There is no centralization because there is no coordination. There is not even knowledge of what can be happening elsewhere because these messages might not even be using internet to be shared (e.g. radio or paper messages)
On the other side this is what makes it so powerful. You can download the full set of text messages from someone into your disk, that disk be found centuries later and digital archaeologists could easily read the contents because it is plain text.
So it isn't competing against freenet, it will use it very happily when available as option.
Nostr users, how does this differ in your experience from Mastodon? At first glance it seems like the same idea but with the extra ingredient of blockchain, I'm not sure what this adds though, anonymity?
You start by creating a pair of public/private keys. That is your "account" but is independent from everything else (e.g. not tied to any specific tool nor web service).
Then you create texts (notes) which are digitally signed with your private key. Using the public key anyone can verify it was you writing it and nobody else.
There is no blockchain in the process, these simple text messages get sent to a multiple number of relays (you can even host them yourself) and other people can read them very freely.
The main difference to mastodon is that exists no central server where someone registers an account and has the power to kick you out from the site (deplatform). This also solves the problem with the mastodon servers decides to stop the service and suddenly everything is gone.
On NOSTR your texts are your texts, and there are multiple copies everywhere (more than 1000 free relays at the momment).
So with Nostr - it's decentralised to the point that I'm (me the user) the individual point that's sending et, rather than Mastodon which is decentralised less such that there's multiple servers with many users.
So you can always download and read them easily. I'm an old person from the forum days and was really annoying that whenever a forum would go down, all the useful posts and info shared over the years would disappear too. With this kind of mechanism, it is easier to rescue that data.
NOSTR isn't just about twitter-clones, it can basically be used to replicate blogs, forum and chat apps that exchange messges.
Though, they did happily filter Macau casino spams flooding the system, so I wouldn't be so sure. Workload of posting to and receiving from dozen servers was also not trivial when I was trying it out, and architecture changes to reduce duplicates and/or syncing databases across hosts were actively discussed. I guess those works were never completed judging by comments here?
On Nostr the server is just a dumb relay, it controls and owns nothing. User identities are proper public key pairs. If a relay goes evil, you can just use another one or use multiple at once to begin with, since the location of the messages is irrelevant, everything is held together by public keys.
On Nostr your account is your signature so there is no such thing as creating an account on someone else's database. You push to multiple relays where people can follow you so even if relay operators ban you there will always be some relay willing to host your stuff.
Others already pointed out there is no blockchain involved other than using the same secp256k1 as Bitcoin for signatures.
>Nostr doesn't subscribe to political ideals of "free speech"
Under a tag that says “pro-censorship”.
I think I could maybe (?) imagine what they’re trying to say there, but “a lack of censorship is political and the presence of censorship is apolitical” sounds like something a person would say after a humongous bong rip of salvia or sustaining a life-threatening amount of blood loss
So, for center-right users.
The answer is trusted relays and Web of Trust
Long-time nostr user. My feeds are all spam free. Not to say there aren't any other problems :-)
But when it's just a new account with a few LLM-generated replies - how would trusted relay automatically detect the malicious intent?
In the end the content I was seeing there was almost exclusively about Nostr and Crypto so it wasn't that interested to keep using it.
Example: Click "Join Nostr" on the nostr.com landing page and the first thing you see is "private" and "public" keys. Click next, you land on 4 example nostr clients. One is broken, the other one is filled with japanese content, the other one is a GitHub repository etc.
It's a cool project from a technical pov as the system is quite simple but you can not expect regular content to start popping up if the experience is only tailored towards motivated tech nerds.
I tried to improve that by making it easy to syndicate the content of Kirby (A blogging framework) to Nostr (https://github.com/dewey/kirby-posse/pull/9) but ran into many issues with how the various clients support and show images and lost interest along the way.
There’s also work on a Web of Trust in some clients that filters notes from people that don’t meet the WOT score. It’s essentially a weighted score based on who you follow and who they follow
Effectively, everything else is left to be implemented.
That probably explains try-everything-see-what-works approach to client apps?
People could spend $1, or $5, or $50 of compute for an identity, and others could use the cost of the identity as a filter. Having a $5 ID put on a blacklist would make poor behavior of any sort more costly.
Identity on nostr is just a public/private keypair.
You can enhance that identity by sending a kind0 (metadata) note with your name, bio, pictures. So i guess you're suggestion to add PoW for kind0 events which is covered by NIP13 too.
But although there's the technical components available to easily build such a thing, you're not aware of such a standard having been discussed, much less defined?
EDIT: To be clear, the idea for this would be a equivalent of the "blue check mark", but 1) you pay it yourself and 2) you can make it as cheap or expensive as you want.
One could argue that this is a deeply political thing, just not one that the usual suspects would care for. +1.
https://asknostr.site/question/note1534t79a5nk8ajcx8xqlsa3pr...
But it's still early and not all clients support it.
Then there is https://www.amethyst.social/ which is excellent because it brings out more of the potential of the platform.
Jumble.social is a good web client.
You and your 3 friends tend to do the same every time NOSTR is mentioned just because you use another platform. Please be honest and admit the affiliation.
https://www.youtube.com/watch?v=Ur20vi40NYY
Lots of people also like Primal. It's well polished and replicates Twitter/X reasonably well.
One of the most depressing things about the decentralised protocol space is the adversarial attitude to other projects - whether that's Nostr v. ActivityPub v. ATproto v Nostr, XMPP v. Matrix v. IRCv3 v. Deltachat, etc.
Imagine if the energy spent on positioning yourself relative to other open-source projects (who should be fellow travellers, if anything) was instead invested into competing with the centralised proprietary incumbents instead.
The same applies to open source as a whole, but it's depressing to see the same vibes leach into the literal tagline of the project.
GTalk first de-federated (weakening XMPP as a whole), then killed XMPP support completely. Reader effectively killed RSS for casual users. Email has been swallowed whole by the oligopoly of GMail+Yahoo+Outlook+iCloud+etc; spam is a real problem, so if you're self-hosting your email, you kinda expect to be blocked by default by the large networks.
Existing, corporate-backed efforts are "open-washing" their services.
Signal is supposed to be using an open protocol, but IIRC won't even let you join their network if you use an alt client.
Following Twitter's demise, Bluesky popped up, and promised federation. I didn't check in a while - did it happen yet?
Actually open networks? Mastodon took off like crazy, but everyone tried to register on the "main", biggest instance - we got bamboozled so hard, we can't even comprehend what "decentralized" is actually supposed to mean.
ActivityPub as a protocol? Ted Unangst decided to build his own client from the spec, and was constantly running into Mastodonisms. <https://flak.tedunangst.com/search?q=activitypub>
Matrix? It has effectively one client (Element) that isn't a security disaster. <https://soatok.blog/2024/08/14/security-issues-in-matrixs-ol...>
Anything left, worth of anyone's attention?
Related recent discussion: https://news.ycombinator.com/item?id=45077291
"An open protocol with a chance of working" = ?huh? "Nostr doesn't subscribe to political ideals of "free speech"" = ???huh? "BEEP BOOP" ???wtf??
Please don't explain technical things as if you were talking to children. Explain them as if you were talking to a colleague sitting next to you. Talk to them as a person and as a professional.
That helped me understand the protocol better: https://www.youtube.com/watch?v=Tbt3jL1Ms0w
This also helps understand the whole basic concept: https://github.com/nostr-protocol/nips/blob/master/01.md
If you are familiar with the IRC chat system, it is similar to IRC but with JSON messages and the ability to store & resend messages on the servers. Servers have to connect to each other and are free to each have their own policies.
You write an email (note/message) but instead of sending it to one server, you can send it to multiple servers of your choice. Each message is digitally signed with your keys and a time stamp, so you can verify that the identity is truly yours no matter where the message came from.
In my opinion is the most innovative way of communicating that I've seen in the last 20 years. There is no concept of server nor permanent location.
A relay can refuse to receive your messages, but they can't block your account because you can always write new notes, sign them and send to wherever people want to read your texts.
Imagine the case with Trump when he got blocked from Twitter. With a click of a button they have deplatformed him, with NOSTR he would have just continued writing and people would simply tune to another relay to keep reading his texts.
On top of that are other good developments. For example, file sharing also became decentralized. So files, images and other media can be sent to the relays and you mention them from the notes based on the file hash which is good save content when someone else hosting your texts and media decides to stop hosting.
Maybe you could explain what they're lacking?
As a user I don't want to see it and the submitter should be found and jailed for distributing it. Right now, it's hard to know where it even comes from since it can come from any of the relay you are connected to. Most apps do not show which relay the content originates from and honestly, what can you do?
I guess one solution is to only use paid relayes or heavily restricted ones that require invitation. But if that is the case, it kind of defeats the purpose of Nostr to begin with IMO.
The content (images, videos) itself is often quickly removed by blossom/media relay runners, especially if people report it and once they're cleared the spam notes are basically worthless to anyone because they're just dead links and spammy/abusive hashtags. Due to the hashtags is still quite easy to purge them.
I run my own relay and self reported it whenever one of these notes or uploads hit my systems. I built a quick shell script using AI to take care of almost all of that.
I'm a long time user of NOSTR. When you enter the network through any of the main clients you will only see curated topics (trending). The WoT assures that the best content comes up.
If you feel that is wrong, please describe the steps to replicate such situation.
Step 1: In 2023, notice a crypto spam post on Mastodon with a weird account name.
Step 2: Look up what could have made that post, which was bridged from some other service.
Step 3: Set up a key, grab a client (I used a web client that deployed to Netlify's free tier).
Step 4: Follow some howtos, add relays, follow some accounts that repeat other accounts, try to figure out how discovery works.
Step 5: Start seeing really disturbing content.
Step 6: Delete all this stuff, and write it off in the same bucket as Freenet.
Step 7: Wait some years.
Step 8: Get called a liar on a web forum.
The easiest way to try NOSTR is using any of the common web platforms like https://primal.net or https://yakihonne.com/
Heck, you can even install NOSTR clients directly from the App and Play store since years.
It is very unbelievable that you followed such a complicated process, even went to effort of deploying to a server (what?!?) and then somehow you see disturbing content without looking explicitly for it.
In case you are sincere, try it again using any of the common methods.
I did find the client I used; it was called "branle". I'm not in the habit of installing random shit on my iphone, thanks. Deploying things to Netlify is super easy, especially when the software is designed for it explicitly.
I will not be trying again, because as I said elsewhere in the thread, I don't actually care about nostr. Bluesky is working fine for me these days, and in the event that stops being the case, I won't be revisiting the one I already wrote off.
> you can even install NOSTR clients directly from the App and Play store since years
Since feb 2023, apparently;)
I'm a user since January 2023, there were plenty of well-known web clients already available back at that time (e.g. coracle, amethyst, etc). You enter the clients, there is a WoT by default and shows the most proeminent conversations typically.
My experience was never as the one he describes. Not even at the beginning, as you can see for many others here on this same publication. Those few (3?) cases mentioning otherwise will never provide real details for their claims.
It's funny when people first say "nostr is just a protocol and completely not subject to censorship" then "there is no way a new user would encounter bad stuff on nostr". pick one?
The leftist media hates this website because they are doing an effective job. They are calling them all kinds of things.
When people are effective in tracking or publishing about pedos, there are always a lot of people saying you are the problem, not the pedos. I wonder why. There are a lot of pedos out there (just look at dumpens work it's kinda obvious) and they are of course using services that are anonymized and decentralized like any other.
Usually they are also very active online and attack people that try to cut their illegal actions online. Just look at my original post, it is downvoted. I just wanted some kind of action towards cutting pedo content and it is frowned upon by these people.
It is a grave and unfair accusation to associate NOSTR with such nefarious activities, that was the reason why so many protested against that labelling.
I don't know how the app I used works. I simply used the "Snort" app, connected to a few relays and did not use it for a couple of months. Then I came back and instantly saw CP freely shared. Instantly removed the app from the phone.
You can't say that it don't exist when people like me have seen it with their own set of eyes. This only makes protocols/projects like nostr set to fail, since regular people won't fucking care and just think of the nostr as something pedophiles are using, which they would not be incorrect in thinking at this moment.
I was betting on nostr in the beginning, I was running my own relay and started on a nostr client. But I gave up since clients came popping up everywhere so I didn't really have time to compete.
This happens because Japan always has disproportionately massive online presence with significantly better democratized attention engineering, and so content selections naturally mimic a crossing at Akihabara(despite it almost has been entirely superseded by Chinese tech cultural centers such as Shenzhen), not the Times Square(in NYC), which infuriates a lot of somewhat vocal people.
And, the reason why I must bring this up is that it is not merely it is inaccurate labeling, but it is also counter productive to not face it straight on. Such as, people would move away from pornography, making it less actually pornographic, which is more child-pornographic by the standards of people using this term in this manner, because that is what are considered LESS sexualized contents by its producers, which by the way exist in orders of millions in Japan and leaking out fast into Asia at large.
TLDR. Hating anime, fine. Just don't call it CP. Your words sound opposite of intent. That's what brought us here. So stop.
2. I have been to Japan several times, I know the difference between anime/hentai/lolita and stuff like that. This is not what I was experiencing.
3. I have nothing against pornography in general.
The issue is that when people bring up shit like this, we are not taken seriously and this hurts projects like nostr. It will never reach momentum if no steps are taken to prevent illegal material and dark shit like CP.
Calling me a liar makes me believe that you are intentionally are downplaying the experiences I and others have, which is helping pedophiles and similar people share their illegal content freely and without consequences. Why I do not know and you should seriously think about it and stop.
- the larger group says they see NONE of $thing,
- both are looking at the EXACT same thing.
-> The disagreement is in the definition of $thing.
It can't get clearer. How else would you explain it? Either you're lying(I guess not), or your definition is way off, or those secret underground organizations made some mistake and their secret Facebook group illegal content leaked out(no such thing on Nostr). By far the most likely scenario is that you're grouping from traffic cones to boxes of oranges to parrots in a forest into the exact same category of offensive contents by standards that nobody else could even understand.
You're lying about me lying.
Is there a fundamental reason this wouldn't be true? Isn't it a place where people can anonymously share multimedia with minimal moderation?
In my experience even the most toy application exposed to the wider internet will face this issue.
I can't think of any clients which surface weird stuff (I've never seen any on nostr). I think to reach this situation a user must follow weird accounts and thus get their content - but then I can't see that as being nostr related, since someone could do that on the internet or other networks.
These people come back fuming hot with more derogatory, still indirect, descriptions, and cycle repeats. This has been a "problem" for social media for almost as long as I've been online.
The best thing is asking them to provide steps for replicating their claims, which they won't since it is the not the common user experience at all.
It's odd that they see "tons of" things that they can't describe beyond it belongs in the category, as if, just as if, actually characterizing it beyond making trust me remarks would lead to formation of broad consensus against them rather than against the contents.
What doesn't make sense is when the other party starts making stories just to tarnish other competing technologies. Just now the OP was asked to provide details to replicate his findings and those were indeed very "fuzzy" to say the least.
Nope. Most are born out of people not understanding how existing systems work and/or looking to get rich quick.
> an ever evolving technology fueled by those same critics.
No, it's mostly a self-perpetuating self-congratulatory hype machine busily re-inventing the systems they criticise
> What doesn't make sense is when the other party starts making stories just to tarnish other competing technologies.
What does make sense is the extremely fragile ego of crypto bros who can't stand any criticism towards their scams and hype, or the mention of any possible issues.
Crypto wasn't created as a "get rich quick". I say this because I was there since the early days and participated quite a bit on the related BBS. Back then you'd already make good money building bots for day trading on stocks, crypto was really about a type of currency that no government could touch.
Nowadays the large majority of users are desperate to make some money through pyramid schemes and pure speculation to "get rich quick" albeit they usually end up losing money. The small minority is doing what they've always done: looking at systems, criticizing systems and building their own solutions to those systems.
There is really good stuff being built. Not many do it, granted.
There is a very insightful thread on nostr about it -> https://asknostr.site/question/note1lhvk3kkmaev6qzlpzzns69vw...
The top voted answer was
> Relays have to become more whitelisted and less open, and clients have to implement outbox model and stop relying on 2 or 3 big relays, then we can just stop worrying about this.
Question. Do you prefer open or closed networks? I'm sure you are aware that the internet is an open network.
Its on the individual to block that kind of stuff.
These protocols seem to think that people actually want an alternative to what Instagram, Facebook, X etc. give them. They don't, we all just want the comfort of our own little bubble and a constant feeling of perceived fame. The rest, and all the talk about the protocol that underlines this is just fluff for nerds that will have zero impact in a society dominated by tech capital.
Do you wanna change social media? Try and find and effective way to bring them down.
> The most interesting feature of Mastodon is that by its nature it creates communities with shared values that grow in each of its servers. Or, should I say, that should be a feature if it actually worked like that. In fact these are not really communities, but a mashup of users that may share some interests among each other, but also have other interests and those other interests end up polluting the supposed "community" with things that do not interest the other users.
ie. they're complaining that federated communities are too diverse and multi-faceted, instead of being divided into nice little laser-focused grids of shared interests
I think the point of the quote is that Mastodon tries to be both a topic-centered community platform as well as a "everything goes" public social network like Twitter/X but the federation aspect is not true decentralization because you can easily lose your social graph/reach if some instance admin doesn't like you or your own instance gets #fediblocked.
Perhaps building alternatives that can replace them on run in parallel is the best way to do that?
But...Nostr (and other decentralised social media protocols) can offer things the existing platforms can not do: interoperability.
Imagine the people you follow to be the same from FB, to strava, to spotify... Imagine the content (signed notes) you make are available on different clients/platforms
That UX, perhaps for use-cases and projects we can't imagine today will be so much better than what we have today. I've tasted a little bit of just that switching between my Nostr twitter-like client (Primal/Yakihonne) and the Podcast app (foundtain.fm). It blew my mind.
This opens use cases the existing platforms can only dream about.
That's basically the point of nostr.