I have to repeat my most important concern about Nostr from ~3 months ago[1]: Nostr makes you forward data from strangers unencrypted. If anything unlawful which you forward for Nostr is ever found on your computer, or found transmitted from your computer, you'd have fun time to explain to the authorities how it even ended up on your machine, and why are you disseminating it.
Encryption is not trivially easy to introduce into this scheme, and it can't be too seamless. It's possible though, and I encourage the developers to work on that.
Then I guess I'll have to repeat my top reply to you then.
"Relays can be authenticated. If you don't want your relay to accept data from anyone, don't leave it open. Same with any other Internet protocol."
If you don't want people to host illegal stuff on your server, do not run an open relay, an open FTP server, a social network, or an image host.
If you do, be prepared to have to work hard to keep bad actors at bay.
It's not strictly a NOSTR fault, and there is no reason why YOU need to run a relay.
Your comment is misleading and a little disingenuous: Nostr doesn't make you forward stuff. A client doesn't have to forward anything. It just connects to relays and subscribes to topics. Relay != client.
Authorities are already working together with companies in lots of ways to filter out illegal things, and it doesn’t look like they are putting CEOs for prison as long as they try to filter these things out with the tools available.
What Nostr changes is the backdoor deals that are happening and Elon was showing: FBI, CIA and other governmental organizations censoring politically sensitive, but legal content, which incentivises governments to be more transparent (and of course CSAM will remain illegal, there’s no controversy around it).
I guess what I meant to say, for those who missed out on the good old scuttlebot days, is that encryption is trivial and also you should not be syncing strangers.
People have solved these problems before, and we will solve them again.
Certainly! But they need to be solved first, and key distribution / trust is a bit more involved than just message propagation.
Not synching strangers may sort of miss the point of "censorship resistance". A group of people that know each other can use e.g. Signal to share data, with very good guarantees of protection from outside snooping or pressure. I thought that one of the key parts of Nostr's idea is the ability to find forwarding nodes without being personally friends with node operators, much like Bittorrent or IPFS.
Yah, you've got it. Nostr is heading in this direction that scuttlebot already achieved (at one moment in time) by eventually developing encryption over a wire and having a sync strategy.
Right now Nostr (mostly) parks everyone's data on the relays without a strategy. On ssb there was a strategy, which was that relays are also friends and they decide what they keep for you. FOAF gossip and replication. I'm sure there's a repo with some old node.js code in it somewhere around here that describes it.
We'll get beyond this, and we're putting together the team to redevelop scuttlebot right now.
To me the entire protocol seems like a slightly shittier reinvention of the fedi approach; centralize what some people would consider hard to decentralize, assume there's enough willing souls to run the centralized technology and pray that you don't end up with one big default who can exclude all the others.
The problem is that you get the Tor exit node problem with this approach - being a relay means becoming the toxic sewage plant of the network in this way. Running a Tor exit node basically means arranging for the authorities to try and bust you down because someone tried to get unencrypted CP over your exit node. (Running between nodes over Tor is marginally safer since you'll only be handling partial requests but still not recommended for much of the same reasons.)
Now, Tor is perfectly functional since some countries have relaxed laws for that sorta thing, but Tors data transfer is also transient - an exit node does not store anything long-term. Nostr's relays on the other hand need to do long-term data retention. I wonder how long that will last outside of flagship/VC-backed instances.
Not that it is 1:1 equivalent (due to expense and difference in encoding), but blockchains such as bitcoin can be used to store arbitrary data (and have been). Thus far I believe no one has gone to jail for running a cryptocurrency node because of non-financial reasons.
>blockchains such as bitcoin can be used to store arbitrary data
You are right, 50k or so Bitcoin nodes around the world host blocks with cp which was placed there roughly a decade ago. It cannot be removed from the chain.
AFAIK nobody has been arrested for running a node.
The internet itself is a network of relays that store and forward traffic for other nodes, unencrypted.
With that modern perspective, the internet would be unthinkable.
And, yes, these days you might have to "explain", but even the law says you are clearly not liable for passing other people's traffic. At least until recently, that was the principle. In the US, that's e.g. DMCA §512.
Yes, you've got it. Not many people were around back then, but once upon a time there was a working version of Scuttlebot (by Dominic Tarr) that was documented at https://scuttlebot.io/ with a client called Patchwork (by Paul Frazee).
The idea behind the project was that you would gossip between scuttlebot 'pub' servers and then replicate messages from the people you follow and the people that those people follow. All of the messages were signed with ed25519 keypairs, and to send private messages you'd use ed2curve to box private messages.
These days we're putting together a team that is going to salvage what is left of the working code from back before the project was scuttled and hopefully restore the network to functionality again. Please be in touch if you are interested in this future.
> Resilience is provided by the protocol being simple enough to implement in a weekend, in your language of choice. Platform lock-in is impossible, since any client can republish any note to a different relay if one misbehaves or enacts a disagreeable policy.
That's a wonderful sentiment but we said the same thing about the web and email and both are effectively controlled by large companies.
Twitter is centralized due to being the creation of a single company, but that's not the fundamental problem.
The web and email got effectively centralized because distributed protocols create problems of search, filtering, abuse, identity, community continuity, etc. You can't easily solve them in a distributed way, and even if you _can_, you can't easily get everyone in the network to upgrade. Hence, providers arise that say "We're Nostr, only better!(tm)" or "We're the best way to find what you want on Nostr!" and they work on locking in their customers.
If you want to be resilient to monopolization you have to show how you're going to solve those other problems.
Woah there. I don't agree with this. The web is certainly not centralized (this is on Hacker News and not Facebook, right?) It follows a power law distribution where you have some players getting lots of traffic and then there are lots and lots of small traffic sites. But it's definitely decentralized.
_Google_ is something of a monopoly providing some of the features you list for the web at large, but there are others (Duck Duck Go, Bing) that are just a click away.
Gmail took a huge share of the email market by being a better product for the first several years of its existence (and being free also helped). That doesn't mean email is centralized: I've been using Fastmail for the last several years and it works _just fine_. I don't have the problems you list.
Anyhow, I agree with your point that a decentralized _social network_ needs to solve the problems you're listing. I just think the web and email are actually examples of technologies that remain decentralized.
As a web developer, I think we've figured out maybe 1% of what the web is good for & capable of. There's still so much possibility, so many options, that any given person can go off & explore & play around with & succeed on. The field has never been more open for, more ready for new exciting possibilities, better set to start changing if we can make a real authentic honest outreach to users, that is a fair shake from tech, & not leaving cloud-giants holding all the cards & us with a couple magic beans.
The doom & gloom look at the macro of what the web is is really sad. It's a constant pity party. The ability to control & shape our information spaces to our liking & pick our paths has never been higher, has only gotten better as more protocols & standards, focused at purer social networking levels than the web medium at large, have arisen.
As a developer, it's been a one way street with us crafting better and better means of web development and deployment every single year, and what we're excitingly starting to see is more genuine & personal involvement not just with creating sites, but with creating interconnection, creating interlink, creating intermedia, not just on one big property, but across many voices. Nostr highlighting the idea of a relay, that who we relay is a vote of amplification, is semi-covert social commentary on picking your traffic, on selecting what gets to get shared out. There's no headier better more promising time than today (and the web continues to be the premier delightful connectable blank slate from with which to experiment & iterate).
Email is centralized in the sense that you might run your own server/domain but if Google decides you are bad and stops federating with you you might as well not exist. Who are you going to exchange mail with if most people are on Gmail?
That’s very different than Google banning your account where you can just switch to Bing for search.
A big topic of conversation at nostrica (nostr's first conference) last month was how to maintain decentralization. One of the biggest concerns was having a client or relay provider build features outside of the protocol to gain market share and enable them to lock-in users.
You are correct that there is no easy solution to these problems. There are draft NIPs that attempt to solve many of the problems you've described. You're welcome to join us in the conversation and work with us to try and solve these hard problems!
PS- I don't think the web is effectively controlled by large companies. Email is a different story though. Hopefully we can build nostr to be more like the web than email.
Maybe nostr needs a Law of Jante/tall poppy lopper - any client or relay that gets too special gets blacklisted/punished by all the other clients/relays (to the extent possible through the protocol). Sorry if that is in a NIPS, there are 84 in that link and I can't read through them all.
I think your "effectively controlled" is mostly meaningless.
There's orders of magnitude of difference between "started off as scattered and big companies now do a majority of the maintenance" vs actually CENTRALIZED, like Twitter.
My website and my email, from my domain, both exist generally as equals without any meaningfully strong influence from google or whatnot, e.g. censoring my website would be a practically completely different thing from the ridiculous mess that Twitter is becoming (if it isn't already.)
Email is not "controlled" by large companies. People choose to use large companies and let them read their emails because they are stupid. Email has not evolved in any way BECAUSE its NOT controlled by some company. If Google could, they would do even more evil with email that "just" reading all your mails.
To compare Twitter with email makes absolutely no sense. Yes Twitter is a totally controlled thing by a single company, email is not. You could say it for the web when it comes to net neutrality and where it does not exist anymore ...
Not everyone needs "reach"¹. In my case, if Google blacklisted my domain, worst-case scenario would be a handful of people who wouldn't get my emails, and I'd have to reach them by other means. I'm actually dealing with this right now², except with AT&T instead of Google, and all that's lost is my ability to email my grandpa.
More realistically, even when Google "blacklists" a domain, it typically just means emails from it end up in spam. "Check your spam folder" is sufficiently disseminated advice-wise that it ain't really all that big of a deal in practice whether Google arbitrarily decides my mailserver doesn't look sufficiently legitimate. If Google's taking measures more extreme than sending emails to Spam, then it's almost certainly because the server operator is doing something horribly, horribly wrong - like "running an open relay" levels of wrong.
----
¹: I'd go further and argue that any emails from domains operated by people who actually do care about "reach" probably should be rejected and/or sent to Spam/Junk - namely, because they largely are spam/junk. Hell, I'd go further than that and say that I know of precisely zero domains which both care about "reach" and refrain from sending junk mail. I do know of plenty of domains that think they're special snowflakes whose unsolicited marketing fluff emails are totally legitimate and not at all spam and therefore it's totally unfair that their "reach" metrics are below 100% because of those big meanies and their spam filters. Needless to say, I take their complaints about their "reach" with a Dell PowerEdge R750 sized grain of salt.
²: Actually more severe than the usual case with Google, since AT&T does outright refuse to deliver mail from servers it doesn't like - and despite mine appearing on no blacklists of any sort, and despite AT&T repeatedly denying in various support fora that it maintains any blacklist of its own, I get hard bounces from their servers, and complete silence when following the very support processes said bounce emails describe. Oh well.
FYI: comments like yours are more effective when posted at least a day later, lest they end up looking silly when the "silence" is eventually broken - as it is now.
It is still very effective, it took you a day later to respond to the parent.
OP Comment: 25 April 2023, 00:41:52 AM
Yours: 26 April 2023, 03:18:06 AM
I was expecting a response much earlier than that since the answer is very obvious. Instead you decided to come up with a typical anecdote which can easily be dismissed.
The main fact is, almost everyone knows that you lose LOTS of users emailing you once a provider like GMail blocks you as it is the most used email provider. [0]
> It is still very effective, it took you a day later to respond to the parent.
My apologies for not being terminally online.
> Instead you decided to come up with a typical anecdote which can easily be dismissed.
Which is fair, but
1. It still makes your "silence" comment look premature, and
2. If even I can still get mails delivered to GMail inboxen as an ordinary person running a personal mail server, an actual (legitimate) business should have no trouble with that whatsoever, and
3. There was more in that comment besides the anecdote, and your decision to dismiss it out-of-hand - much like your decision to prematurely declare the existence of "silence" on a topic - does not reflect charitably on you.
> The main fact is, almost everyone knows that you lose LOTS of users emailing you once a provider like GMail blocks you
Do you have any examples of GMail blocking its own users from sending an email to a domain it doesn't like? Like I mentioned in the other comment: it's more typical for it to be the other way around, and more typical than that for it to be a soft block (mail going to Spam) than a hard block (hard bouncing of mail).
Unless you've got such an example, calling that a "fact" (let alone the main one) would make Elastigirl pull a muscle; like sure, that'd indeed be pretty thoroughly inconvenient, much like it'd be inconvenient if Behemecoatyl took over my mind and compelled me to shut down my mail server, but I'm unaware for much (non-fictional) precedent for either. Even in my anecdotal case where AT&T does indeed hard-bounce emails from me to my grandpa, my grandpa can still send me emails just fine.
So says the one with 9000+ HN points, sitting here for a decade and still commenting here every. day.
There's no need for you to apologize for making me laugh at you for not being able to look at the time and it's clear you're very upset over the *silence* comment.
> 1. It still makes your "silence" comment look premature, and
Premature to what? The answer is obvious to everyone and the link I gave earlier already explains the amount of email users one would lose if they were filtered and blacklisted from Gmail which is the whole point of the parent's comment.
If I were to collect lots of emails for a newsletter, I can guarantee you that most of them will be Gmail users and if my domain was blacklisted by Gmail, my reach will be significantly limited, either having it being sent straight into the spam folder or even outright blocked by Gmail by the advanced spam filters.
> 2. If even I can still get mails delivered to GMail inboxen as an ordinary person running a personal mail server, an actual (legitimate) business should have no trouble with that whatsoever.
But most people still go with centralized services as outlined by the article I gave earlier, and they don't run their own email services either. What if this 'actual (legitimate) business' is using GSuite, Exchange, etc which has the same anti-spam checks and blacklists as well?
> Do you have any examples of GMail blocking its own users from sending an email to a domain it doesn't like?
It has been known that GMail has a so-called 'dangerous url' list(s) to prevent its own users from sending emails to domains on their blacklist. [0] There are countless reports on social media which GMail blocks the sending of emails from such domains. Once example: [1], and another [2].
In both cases either way, the centralized email providers get to decide what goes through their spam filters and blacklists and that negatively affect those running their own email servers and trying to reach users that are on centralized email providers like Gmail. Henceforth such problems like this [3].
So in conclusion: Your reach will be significantly limited if you do not pass Gmail's spam filters (or any other of the major email providers filters) and users don't run their own services because: (1) They are not techies or sysadmins, (2) Even if they were they can't deal with the insurmountable spam issues and (3) They would rather sign up to a managed solution on a centralized platform than maintain it themselves. Hence this again: [4]
Rebuttal/response to/of your comment/thought/input. From the Wiki -
I ran across Nostr when I was looking for an excuse to do some network programming. I have a thing for small standards, and the Nostr spec was 75 lines of exactly what I was looking for.
> That's a wonderful sentiment but we said the same thing about the web and email
Really? Web browsers, web servers and mail servers are beasts. I don't see them being 'simple enough to implement in a weekend, in your language of choice'
Not now but in the beginning they were. The first version of HTML was basically just a hack that glued an SGML parser to the NeXTStep text view control. The web didn't support inline images because the NeXTStep control TBL used didn't support it. Then companies like Netscape came along and started adding features. The rest is history.
The identity is controlled by a cryptographic key on the client side so even if you get kicked of a server you and whoever is in contact with you can just grab your data from other relays.
As a crypto-skeptic (lol), I really like Nostr. Unfortunately, I don't think it will catch on until someone takes the time to shave off the sharp technical edges and figure out spam + identity verification. The current Nostr network is full of cult-like bitcoin cryptobros, racist Twitter/Fediverse refugees, and spam. Lots, and lots of spam. But the technology is cool af and could be made into something more.
I’ve switched over to only private and/or paid relays and don’t experience any spam whatsoever. Not that this is the best solution to spam, but it has been effective.
I host my own relay and it's stupid easy to set up. The problem then becomes relay discovery, which is an almost completely unsolved problem. I do think it will get there in though.
Check out the gossip client [0]. They take a unique stab at dealing with relay discovery. NIP-65 [1] also attempts to deal with this. Hopefully clients will start implementing this shortly.
I see a problem. I'd say a majority of the posts on Nostr are media posts (mostly images) and the network relies on Imgur and other image hosting services for all content. Not very decentralized in practice.
Is it a problem? Right now it doesn't seem to be a practical problem.
I agree that where we're headed, it seems like services like this will only continually degrade, that a huge amount of the corporate-run internet is undergoing radical #enshittification at an alarming rate, & the nation-states have strapped afterburners onto this hellbound-sled by starting to make the terms of use for these already imperfect the feudal- oops i mean corporate- data-keeps.
New age-verification identity-verification to post stuff has scaled up with shock & awe speeds, with Imgur just burning down huge swarths of the internet. So I guess yeah it has become a practical problem alraedy.
Oh and there's other signs of horror/intensification all about. Specs like Mobile Document Request opening up the Jevon's paradox of making it easier to request government id online are going to make a very shitty 203X's that greatly piss over the internet legacy we have.
https://github.com/WICG/mobile-document-request-api/issues/6
But also... we have the saints of human history, https://archive.org, ticking along doing the good deeds. The more rag-tag ArchiveTeam folks. They keep saying it's not for archiving, but I really hope WebPackage / WebBundle specs take off, that we build a norm of take-away sites that we can retain. (Caveat: right now Chrome has zero interest in letting you use old snapshots, but I have zero faith this limited security totalitarianism will hold, given that Certificate Transparency lets us know that indeed this content did come from X site at Y time & had the right cert then.)
In general, it's all the web, so it only sort of matters that the thing goes away. We need to update the maxim, "Cool URIs Dont Change" (https://www.w3.org/Provider/Style/URI). Sometimes the resources go away. But the URI remains. And we can spread backups, share the content, even when the hosts vanish, because the web is so cool like that.
> Is it a problem? Right now it doesn't seem to be a practical problem.
It will be the day these image hosting services die (and they do, all the time). This setup separates the post content from the post itself. I hope that most of us remember what a giant mess hosting images for forums on free image hosting services (that were later shut down) caused.
Apparently there was a discussion just a few days ago about Imgur deleting images that are not associated with a user account[1]. Just imagine all the broken image embeds that will cause…
i already mentioned imgur. i already spent a while talking through how we adapt & deal with this. i tend to think the way forward isn't to change our user behavior or the pattern, but to layer user-sovereign resilience atop the web, which we already have wonderful examples of aplenty.
It's weird how "decentralized" means something different to every individual. Having the ability to choose where to host my images is what I'd call decentralized.
As I understand it, the raison d'être of nostr is to use relays to store your data, which is presented on clients. So if a front-end bans you, then you can grab your data off any relay. If imgur shuts down, you're out of luck!
Bluesky goes further with the AT protocol for more general data and algorithms iirc
How is this not just IRC then? The thing that makes Twitter/Mastadon/etc not just IRC, is that in these, you can scroll back as far as you like—specifically, past where your client joined the network.
Because IRC still needs a lot of things to keep running (be usable) and works mostly for chat messages.
NOSTR isn't twitter nor IRC, you can take your posts which can contain just about any type of data inside and build an art gallery, a forum or dump for meteorological information.
You can scroll back in the past. It is up to the relay if they have interest in keeping your data or not. If nobody cares about your data, you can still preserve it yourself without barriers for that.
I’m not a publisher/journalist; I don’t have any posts. I’m a historian and archivist. And in those roles, I care about being able to retroactively access data that neither publishers nor relays considered to have value / be worth preserving at time of publication, but which instead was preserved due only to the “accident of history” of them publishing in a durable medium. Compare and contrast: digitized newspapers available on microfiche.
I'm also an archivist. I've created http://arquiva.me/ from scratch which is archiving tweets (and other sources) related to people in Portugal. That archive preserves history in open format that anyone in the next centuries can access.
As archivist, we both need to pick our sources manually at some point. Nostr is quite a good tool for archives, since its format is flexible (long term preservation) and can work even fully offline.
Does this mean that if I want a normal social media feed I need to program my own relay server? Or is there a relay server somewhere that I can tell to store the accounts I'm interested in? That seems like a major flaw.
I've downloaded an app for nostr and I'm not very impressed with the posts on the main timeline. They mostly seem to spam cryptocurrency ads and bad memes, most of them carrying some kind of American right wing propaganda angle. If these are the kinds of people who are attracted to nostr, I can't say I'm sad to see the nostr project decide not to federate with ActivityPub.
> If these are the kinds of people who are attracted to nostr
I think it's more that these people are around on every platform; but most platforms create (simple, vote-based; or complex, engagement-based) algorithmic filter-bubbles, so that you can live in blissful ignorance of these people's very persistent attempts to get your attention.
(A good example of an already-established platform that doesn't have this kind of filter, is Discord. If you join Discord servers at random, you'll often get flooded by DMs from bots trying to shove this same kind of content in your face.)
As much as the engagement-based recommender algorithms of sites like Twitter encourage "hate-following" and "doom-scrolling", they do have the nice property of inherently filtering out this kind of spam: these "human spambots" post things that can be predicted by their content to receive literally no engagement at all (since everything similar anyone's posted recently received no engagement at all); and so these spam posts get dropped out of any feed they'd otherwise appear in.
Nostr inherently cannot have any kind of online self-tuning algorithmic filter-bubble like this; such algorithms are powered by a global corpus of "everything everyone is currently posting, and every way that everyone else is reacting to it." Nostr relays only see the "notes" that are passing through them; and they have no idea what downstream Nostr clients think of those posts. So even if someone wanted to build a "smart relay" that does algorithmic filtering, there's no signal to power it.
In any client you have the option to see "everything" that is passing, and it is a lot from just about every topic to the tab where you only see the people you follow.
Practically all relays will store your data if they are going to act as a relay for you at all. Very few things on Nostr work with ephemeral events alone.
Perhaps the greatest problem with this setup is that the post content is separate from the post itself. I hope that most of us remember what a giant mess hosting images for forums on free image hosting services (that were later shut down) caused.
> Software for chatting on the Internet should be small and fun.
Small and fun is the magic here. There's immense product insight in building a product experience that feels really small, intimate. It's the counterbalance to the unwieldy scale of Big Tech.
We're in the natural cycle of things, I'm just saying I seem to really get the feeling "the future is small", if that makes sense. It's quite stressful to navigate the entire planet's information and inventory.
I feel the same way. I don’t feel the need or desire to be connected to every single person on earth through some app. I left almost all social platforms a couple years ago (except HN).
I got into nostr and feel like it’s almost exactly what I want from social media. Just a reverse chronological feed of the people I follow.
i agree, it's fun because of the people. a product is "not fun" when it impedes on those personal connections. like the obvious thing of injecting ads everywhere, a product doing that, is not fun in my view. it's infuriating
Anything Jack is involved in is tainted for me until further notice. I wouldn't even dare to touch any of his new platforms, seeing his connections with Elon and how his judgement failed so spectacularly with the Twitter deal - it's not worth it, just to be sold out again when he gets bored of it or it doesn't end up being a business. At least he admitted to it.
I'm not saying Mastodon is the solution, but at least no one can take it away from me at a whim or has full control over the protocol and the app.
> how his judgement failed so spectacularly with the Twitter deal
A CEO doesn’t approve an acquisition in a publicly traded company. The Board of Directors decide.
> or has full control over the protocol and the app.
Jack does not have any control over the nostr protocol.
He may arguably have some control over one of the iOS client apps (due to him finding the dev), but that’s about it.
I was an organizer of nostrica (nostr’s first conference) last month. Yes, Jack paid for the venue, food & merch but he didn’t ask for anything in return.
He was very humble about the whole thing. More than I thought he would be.
> A CEO doesn’t approve an acquisition in a publicly traded company. The Board of Directors decide.
Don't put words in my mouth. It may not entirely have been his decision, but nobody forced him to go on Twitter to say that he "chose him" and that he "believes it with all his heart"[0]. You cannot possibly tell me that you think that he was uninvolved in setting up the deal. Him being friends with Elon for ages is public track record.
> Jack does not have any control over the nostr protocol.
Jack is bankrolling the founder of the protocol with more than $240k. If you think that a SV CEO is doing that because he wants to create a better world, good on you. If you have any evidence that that doesn't give him any control, I'd be happy to see it. I feel like it's valid to be a little sceptical.
The recipient of that donation (@fiatjaf) immediately split it 50/50 with the developer of Damus (@jb55). All distributions have been done in public. At last check, fiatjaf has already dispersed 70% of the donation to other people/groups.
fiatjaf has been a prominent developer in the Bitcoin community for many years. Think what you may about crypto bros, fiatjaf is not that. I've had the pleasure of working with him a bit & have been on the receiving end of debates with him. I've always found him to be an upstanding person with deeply rooted ethics, even if I regularly disagree with him. If $240k were enough to sway him to do something he thought was wrong, Bitcoin would've been destroyed already.
I understand where you're coming from, though. If I didn't know the players and hadn't followed along (on nostr) intently throughout, I would likely have the same concerns as you. I still do, to some extent. Though my personal experiences and interactions with these people has helped assuage most of it.
I have played with this a bit lately and my conclusion thus far is: The idea of trying to bind everything to a single private key is such a bad idea for the average person. In order to truly secure a private key you have to go to pretty extraordinary lengths. It is not easy. It is not, "common sense."
Like most of crypto, the basic immutable nature of things is simply bad for humans. Here, your private key is eventually going to get stolen because you have to type in your private key for every login. It creates a phishing/key-logging jackpot. And once the attacker gets you private key there is no recourse. No password reset. No way to regain access. Your accounts are forever compromised. This is the problem with "decentralization" in general. All of the benefits it brings are completely washed away by the mundane daily activities of being human.
I've tinkered with nostr and there's plenty to agree with here, but it's not specific to nostr. Nostr is in its very early days where people who tinker now are also pretty good at protecting that private key (dorks like us). For mass adoption we're probably going to see WebAuthn develop and solve the problems you're mentioning for most non-technical people. The early dorks will flinch at Apple/Google syncing people's e2ee keys, but techies will always be able to just dial in their private key to the client of their choosing. So it will be a bit messy, but hopefully the best of both worlds. And a giant improvement from current paradigm.
I don't use it, but Minds is an example of an app that is using delegated keys to sign people's messages using nostr protocol, allowing a user's data a route out of Minds' infrastructure in the future. Again, seems a healthy improvement.
There are ways to fix this such as the ability to issue a key revocation and issue a new key via a secondary key stored elsewhere but few of these systems implement such measures.
Nice (blog author here); just heard this showed up on the frontpage from someone on Nostr.
If I was writing an update to this, I'd probably point out how much better the clients (especially mobile) have gotten, in such a short span of time. As well as how lightning integration (zaps) are letting us build new capabilities (instead of just cloning twitter) that don't exist anywhere else.
Glad its getting traction, it was a fun read and introduced me to something new (tm). One issue I had about 'Zaps' was the 'pay-to-play' aspect which seemed in discord/disharmony with the OG vision of Solving the Right Problems
There is no blockchain. No proprietary social sign-in. No “real-name policy” No distributed hash table, onion routing, raft consensus, or peer-to-peer protocol. There is just a method of providing simple digitally signed text, and a simple, scalable search service.
I mean I get it aaannnndd 54 lines of Spec etc and there is a need for something like you offer/describe and I'm glad to have stumbled across the link that lead to this blog that leads to the GH <phew!>
Lightning already exists; so it is nice that a simple protocol can integrate with it. I view them as complementary - it is good that Nostr does not need crypto, but it is still cool that they can harmonize
without changing the core protocol.
It does solve a fundamental incentive problem of "who runs big relays".
In a similar vain, I'm curious how Bluesky[0] will pan out. The protocol looks very cool with how much it separates and distributes the different concerns[1] (storage, recommendations, clients, etc.) as opposed to something "federated but fairly monolithic" like Mastodon.
For what it counts, you don't need to deal with Mastodon if you want to use the fediverse. There's plenty of other servers available like Misskey and Pleroma, both of which require far less computer power. The only thing you need on paper is a domain name. Heck - you can even use a WordPress blog since Automattic if you just want to run a blog outbox.
Mastodon itself is a rails beast (lending credence to the tendency for the Fediverse to seem fairly monolithic), but that's hardly necessary. There's many other options out there (as much as the lead dev of Mastodon has been on a spree to try and hide this fact lately).
Iirc the waitlist is packed (million or so) and they've only let in 20k so far while they're working on scaling moderation (which is pluggable as well, I think).
I've been on that Matrix, there's like one guy in there who thinks that centralized key rotation is real. I didn't really see anyone else while I was there.
I wish Nostr were invented 30 years ago because it seems like a elegant protocol with room for extensions that could have served as the backend language for Twitter, IRC, FB, and more. But network effects are just so powerful and people post to be seen. Twitter isn't going to willingly open the door to competitors, and so I hope Nostr can find a few unique use cases and communities to let it blossom.
I.. agree, but I don’t think recreating existing platforms is a good idea either in FOSS or commercial projects. As you say, it’s already there.
> Network effects are just so powerful and people post to be seen.
Yeah, but those people aren’t moving the needle anyway, so they can be safely ignored, for now. They’ll come when it gets popular or trendy (see the recent mastodon influx).
Current gen social media is clearly not the end-all be-all. It’s riddled with problems, both because of the business model which incentivizes short-termism like clickbait, but also inherent problems in the social graph, feeds, etc. We’ve had at least a decade of experience to learn from the mistakes of the giants. Maybe this sounds elitist, but whenever I see a Twitter clone (say current gen Mastodon or Substack Notes) all I see is a lack of creativity and courage to face novel opportunities.
Other than the tech, one big thing that’s kept me away from Nostr is the people on it. I’d rather not have my feed spammed and have Bitcoin maxis endlessly talking about how stacking Bitcoin is great.
What makes social network work is the diverse range of people and it currently doesn’t have that at all.
I'm all for the best solution winning but here's the perspective of a regular end user.
When I read about nostr I see code examples and cryptography charts.
When I read about Mastodon (fediverse) I just run docker-compose up and I'm in business. That is what made the fediverse breakthrough and nostr not.
It needs to be user friendly for both end users and sysadmins for it to catch on.
Also unrelated to all that, I'm kinda skeptical about any system that claims to be resistant to censorship because it will become a hotbed of racists and bigots online. On one hand certain parts of the fediverse take moderation too far, but on the other hand you can't have a platform with zero moderation. It would be chaos.
This is a tech forum. We tend to enjoy discovering and exploring new technology that's alpha quality and not yet ready to hit the shelves, and maybe we'll help them get there.
Nostr is a couple years old. How old is Mastodon? Of course it's not grandma friendly yet. No one is trying to sell it to them just yet.
I don't get this common and frustrating criticism often posted on here for any new project and idea. Every major breakthrough has started as a buggy, half-arsed project with many shortcomings. Pointing that out is not very constructive.
Regular end user…. docker-compose? We have very different concepts of what a regular user is. Surely, generating a key pair must be infinitely more easy than setting up docker?
There are many perspectives on what is user friendly. What helps the docker case along is its accessibility and availability to people. A lot of people know about it, so a lot of people have played around with it enough to use it.
PKI is not on the same level of accessibility and availability as docker, not even close.
The proof is to simply look at what took off and what didn't. Yes this is a tech forum but it's also a startup forum, and startups take off because they're accessible to people. Same goes for nostr, it will take off when it becomes accessible to regular people.
And even that has many different aspects. If self-hosting is an important aspect, as fediverse nodes for example, then it must also be accessible to self-hosters. That is where docker-compose comes in for the fediverse.
Intrigued by the protocol, and have been lurking on Damus for some months. But ultimately I worry it has been tainted too much by Bitcoin cultism, and its ties with Bitcoin will prevent it from being trusted by the mainstream.
Between this new tool and https://github.com/simplex-chat/simplex-chat I am starting to feel like (at least from my filter bubble) that the web may be slightly starting to think about maybe someday turning the corner on centralized-by-default model for building new applications.
And/or it's just my first time seeing a complete pendulum swing on the apocryphal mainframe-pc-mainframe-pc cycle.
I've tried using snort.social , dog testing it with the intent of recommanding it, but it's basically unusable. Would someone have a good web interface to recommand?
https://www.nostr.net maintains a list of all known clients. I am a bit partial to astral, though it is resource intensive. You could try coracle, snort, or iris to see if they're more your fancy.
Nice to meet you. First time I hear about coracle.social . The main issue I had with snort is that it takes a lot of time before taking an action into account. It's a non starter for non-geeky people.
My counterpoint would be that key rotation, while nice isn't essential, and it comes with a lot of complexity and trade offs. In particular, it really steers the design towards integrating with a blockchain which many people have understandable reservations against.
After using Nostr a bit, I don't think there's a huge difference between SSB and it except that Nostr has no blob sync and they abandoned append-only logs and use different signing key cryptography.
Scuttlebutt just suffers from an inaccessible implementation at the moment, but there is a team coming together to make a working implementation again.
Telegram has stuck with me as a red flag. Mostly because Signal, which emerged around the same time, apparently had the better tech and was open. Not sure whether that changed.
Signal development came from an ex-Twitter director that was initially sponsored by the CIA (through Radio Free Europe) and then developed with experts on the backyard of the NSA (Hawaii). Eventually this relatively unknown messenger algorithm got adopted by a messenger company own by Facebook (a privacy loving group) for over a billion users.
It ain't no surprise that just about everyone relevant in the crypto world prefers telegram than something called "signal" (just inform yourself what it means in the intelligence community).
The first was cryptography, the second in currency as you describe, but the third meaning and most important one is related to the latin root of that word in the sense of "secret", "hidden": https://www.etymonline.com/word/crypto-
When talking about something crypto, one must measure these two "secret" and "hidden" attributes. Signal was never really adopted because of its suspicious origin and strange adoption by whatsapp. Similar case for a few other messengers like Matrix if you get around to see that in more detail.
That’s pretty subjective. I happen to like astral, though many say it’s too slow for them. I think a lot of people are using coracle, snort.social, and iris. There are a lot of other ones under active development.
Saying "I don't want censorship" is equivalent to saying "I'm fine with people using my tool for coffee meetups, genocide planning, bridge club, and drug deals." It's an attempted handwashing of moral responsibility under the cover of software purity.
At this point, it's pretty well documented that social media _as a tool_ has increased young female mental illness; the question is only "how much" [1]. To try to wave away responsibility for this by saying "but I'm just making a tool!" is beyond irresponsible at this point; it's morally reprehensible.
Arguably, the erosion of mental health could be laid at the feet of greedy corporations using algos to push hate, and division for eyeballs to advertisers.
Isn't Nostr algo free? Isn't it just a messaging service?
Yes, nostr is just a protocol. There is no inherent algorithm. A client could choose to implement one and users could then choose to just migrate to a different client without one. All I want is a reverse chronological feed of posts from people I follow. That’s it. And right now the nostr clients deliver that.
> "I'm fine with people using my tool for coffee meetups, genocide planning, bridge club, and drug deals." It's an attempted handwashing of moral responsibility under the cover of software purity.
None of these activities are efficiently stopped by censorship on the largest social media platforms... so what are you suggesting? That we continue to employ inefficient censorship (which gets also abused all the time by governments around the world), or do you have any actual solution? If not, this sounds a lot like virtue signalling to me.
The elephant in the room here is that quite likely a large part of content that may contribute to female mental illness is not hateful.
I'm of course talking about female influencers on Instagram flexing their wealth, highly customized looks, hot boyfriends, fancy holidays, etc. The phenomenon where a young girl at her most vulnerable/insecure age is ranking against this distorted image of filter-laden "expectations" is brand new.
My point being, there's a huge amount of content that is bad for our mental health, yet cannot be censored because the harm is indirect.
Social media as a tool strikes me as the same kind of argument as “REAL socialism hasn’t been tried yet”
It doesn’t feel at all to me that there are any social media platforms that function at all like tools but rather data vampires attempting to addict at any cost” and so Haidt’s mention of increased suicide rate is unfortunately not at all a surprise.
Sorry if this sounds harsh but calling platforms in the zeitgeist at this moment in time as tools is simply naive.
It is a tool for communication. We can build a twitter clone on it, a chess match server, IoT messaging, etc. Nostr-the-protocol is a proper tool. Agreed that the social aspects built on top of it should be built with human wellbeing in mind - not ad revenue.
Hopefully having the nostr protocol in place lets people iterate faster to build good social technology, and accelerates moving past the ad/engagement focused platforms we live with today.
nostr isn't a platform though, it's a protocol. Something closer to SMTP than to Facebook. Go build a little something on it (there are decent libraries for popular languages at this point which makes it easy) and see for yourself. It doesn't feel like a platform, it feels like a tool.
Encryption is not trivially easy to introduce into this scheme, and it can't be too seamless. It's possible though, and I encourage the developers to work on that.
[1]: https://news.ycombinator.com/item?id=34529931