If you think DNS is vulnerable just wait til we see BGP hijacking on the Lightning Network View quoted note →

Has anyone thought about a subkey spec for nostr? PGP supports a similar concept. This would allow keeping your primary key very safe e.g. by storing it in a yubikey or HSM. This primary key represents your online identity and is only used to create/revoke subkeys. Subkeys could then be used for different apps e.g. binary signing for developers and clients with different security models. Here‘s an explanation for OpenPGP subkeys:

Subkeys - Debian Wiki

View quoted note →

What are the current best practices for nsec storage and key rotation? View quoted note →

“Europeans need to understand that they will be cut off from using commonplace secure messengers if chat control is adopted – that means losing touch with your friends and colleagues around the world” This makes me sad and angry. If this goes through it only deepens my conviction for more decentralization and broad adoption of easy-to-use cryptography. Both of my grandfathers fought in WWII and the intergenerational trauma is still rippling through. The EU as a single market is a great success story as a peace project. The EU parliament on the other hand is failing as a democratic institution to act in its citizen’s interest. There is broad consensus among citizens, security experts, and messaging services wrt ChatControl. No one wants this. Regardless of what the outcome is, we will continue to build open source software. And I will continue to work to support startups doing the brave work to build these products. View quoted note →

The original Lightning App we built had auto updates (using Electron‘s autoUpdater). This was often criticized at the time, which is understandable since lightning network was still new in 2018 and many users came with concepts and best practices of bitcoin core, where updates might change the consensus rules. But lightning is vastly more complex than the base chain. The whole premise of scaling in layers is that lightning can be more complex, take bigger risks and change quicker. While most lightning deployments are server based and do not use an app wrapper, it may be worth exploring an opt-in auto-update mechanism for node runners. This way folks who just want to set and forget their node can at least get the latest security updates.

I once asked Lola if she has time for a call because I disagreed with her on something and wanted to know what I‘m missing. She took the time to explain and we a great conversation about bitcoin and privacy. She really knows her stuff and we should all be grateful she is so passionate about what she does. View quoted note →

For EU folks worried about losing Signal/WhatApp if ChatControl passes… you don‘t need a credit card to change your App Store region. „The best thing to do is to contact apple support in your country. I requested a call online and they phoned me back within the minute and sorted it out immediately. Fantastic service and free!“

Apple Support

Change your Apple Account country or region - Apple Support

Before you update your location, you must spend your account balance and cancel your subscriptions.

Ask Different

Cannot change region of Apple ID without credit card details

I have an iPhone 6s Plus. I want to change the country and region but I'm being asked to enter my credit card details, with no other option. 
&...

Running portal

Chrome dominated the browser market by innovating and driving open web standards. Internet Explorer got left behind despite its dominant market share. Lightning implementations are similar. Those that drive open standards demanded by the market will win. View quoted note →

Great discussion about fees and trade-offs

Stick from SatoshiLabs on protecting Open Source at @BTC Prague

Whenever I see a hit peace in the media I am reminded of Karpman‘s drama triangle (explained in the video). Journalists taking a villain position is a classic state of victimhood. Btw Diana Chapman is amazing and was a big inspiration when I decided to do my coaching training after healing from burnout in 2021.

GM Before of complaining, ask yourself: How am I complicit in creating the circumstances leading to my unhappiness? Then take action on that. You‘re welcome.

I used to maintain the OpenPGP.js library (used in ProtonMail) and I don’t use PGP. And Phil Zimmerman doesn’t use PGP because he prefers Apple Mail on his iPhone. I always ask myself: what’s the point of asking users to download a PGP public key to verify a binary they download from the same website. Users aren’t getting more integrity assurances over what SSL already offers them, since most have no idea how to use WoT. It’s different with nostr... every user has a WoT that they can manage (with decent enough UX) and it already gives them value outside of verifying binaries. So I’d love to see an easy-to-use “nostr-verify” unix program that you pass your npub that *just works*. Anyone that wants to attest a given binary can upload their signatures to their relays. Then the “nostr-verify” program just pulls these sigs from my relays to verify the binary. Does this exist? View quoted note →