THIS ACCOUNT HAS BEEN COMPROMISED
Please unfollow this account and follow our new account @Coinos
Login to reply
Replies (80)
follow unfollow new ACCOUNT account account HAS BEEN this our THIS @Coinos COMPROMISED
Please and
@npub12ekp...tq0f Just confirming.
THIS ACCOUNT HAS BEEN COMPROMISED
Please unfollow this account and follow our new account @Coinos
View quoted note →
wtf...
How would one know that this message is from coinos itself and not a fake?
THIS ACCOUNT HAS BEEN COMPROMISED
Please unfollow this account and follow our new account @Coinos
View quoted note →
Confirming this from my personal account
How'd the nsec get compromised?
Shoe on head please.
Shoe on head prompt activated
Stored on a web-accessible database, I assume.
How did you confirm compromise?
FYI...
THIS ACCOUNT HAS BEEN COMPROMISED
Please unfollow this account and follow our new account @Coinos
View quoted note →
🧐
It's #shoeonhead and thanks. 🤙
🫡
Yup he said all the user nsecs at least used to be stored online but since has been moved, but that he thought many may have been leaked before.
Yikes 😧 lol
Nostr security is hard.. every application has the option to paste your nsec but very little way to ensure it’s not compromised. Nsec signers and other ways to log-in with Nostr needs to be improved..
Yup. Most Nostr users that have been here for a little while have done things that, from a raw security perspective, mean we should assume our nsecs are already compromised and continue to use them with that in mind. Once this is better addressed users arriving afterwards will be in a better place.
I'm not exactly sure unfortunately
Rekt
my webcam is too crappy to capture the date i wrote out 
😓👇
THIS ACCOUNT HAS BEEN COMPROMISED
Please unfollow this account and follow our new account @Coinos
View quoted note →
You're good. +10 style points.
How do you know it’s compromised then?
Never got around to giving this wallet a go,guess I won't now
THIS ACCOUNT HAS BEEN COMPROMISED
Please unfollow this account and follow our new account @Coinos
View quoted note →
This is a perfect example why Nostr Sec is easy!
You write “compromised” and post a new Npub.
![Anhern Sarsalor [finally back]'s avatar](https://image.nostr.build/0ef9488eed98a6091f4c3aa85d4acde81615321da8f156bdd8020c6eca9125c3.jpg)
How does one go through this many security failures in so little time?
I don't want to be rude, I really like what you guys are doing, and I don't want to make a bad situation worse, we bitcoiners should stick together.
This is coming one after another. Please take care of your security.
THIS ACCOUNT HAS BEEN COMPROMISED
Please unfollow this account and follow our new account @Coinos
View quoted note →
Dang, sorry to hear that!
Crappy is good. LLMs struggle with crappy
Some of us have been telling everyone else for like three years that pasting nsec's into websites (or allowing such) is bad practice. Some people need to learn the hard way.
Bunkers are the way
How do we know this message has not been compromised?
🤔
😳
Nice shoe 👌
Or the hacker does so.
🤯😳
If it wasn’t then he wouldn’t be telling you it’s compromised.
Cc @Jörg Lohrer
Maybe recommending coinos to you was not such a good idea..
Let's take this as a lesson and we should set up our own @Alby hub for #edufeed
THIS ACCOUNT HAS BEEN COMPROMISED
Please unfollow this account and follow our new account @Coinos
View quoted note →
Exactly
THIS ACCOUNT HAS BEEN COMPROMISED
Please unfollow this account and follow our new account @Coinos
View quoted note →
how do I know that's a verified post?
nip05
nip05
YOU CAN JUST GROW A NEW PAIR 🤙
THIS ACCOUNT HAS BEEN COMPROMISED
Please unfollow this account and follow our new account @Coinos
View quoted note →
🫶🏼👌🏾
PGP? 😂
Ehhh.. that's more to prove the person owns the account, not that they posted the message.
in the post, they gave an npub, and that npub has a nip05 name with their domain name.
so this confirms the given npub is correct, which means the message is not lying.
I've never seen a banana hammock that big.
Olha só rapaz kkkkk
THIS ACCOUNT HAS BEEN COMPROMISED
Please unfollow this account and follow our new account @Coinos
View quoted note →
Conta da Coinos comprometida
Será que agora vão entender que o nostr precisa de rotatividade de chaves, revoke e subkeys como GPG?
GitHub
NIP-102: Subkey Attestation by ynniv · Pull Request #1450 · nostr-protocol/nips
This NIP defines a way to separate identity from authentication using hierarchical deterministic (HD) keys. This allows people to use one key pair ...
THIS ACCOUNT HAS BEEN COMPROMISED
Please unfollow this account and follow our new account @Coinos
View quoted note →
How could that be. Imagine if GPG keys were just a single static key?
That's why we should separate identity and authorization:
View quoted note →
GitHub
NIP-102: Subkey Attestation by ynniv · Pull Request #1450 · nostr-protocol/nips
This NIP defines a way to separate identity from authentication using hierarchical deterministic (HD) keys. This allows people to use one key pair ...
Unless the one who compromised, posted it?
Looks like it could transport an elephant.
Oh jeez ...their domain....my bad ... 😂😂🫠
Ok
But how do I know this npub had any nip-05 alias configured and it has changed to another npub?
I followed this npub, not the NIP-05 alias...
I don't remember which DNS name was defined this npub....
Followed the new account. 🫡
coinos is a company.
https://coinos.io is their domain.
are you for real asking how do we know the new npub belongs to coinos?
or are you trying to ask a more general question about how to verify people with compromised nsecs?
The second one.
I understand nip-05 use for a company with a known DNS name to point to it's 'official' npub.
But I think that is of no use for people's npubs.
I think WoT is a better option there.
🫂
sounds like a bluff, followed
View quoted note →
Shit, if my associated lightning url gets cooked, that's gonna be the last straw.
View quoted note →
Someone was able to publish a kind 0 that changed our nip05 and lud16 fields to bogus addresses
Who is this? @npub1t3pw...vn7w
NIP 05 isn't pointing to the new profile in OP 🤷♂️
ffs
Who stops the "hacker" doing the same? 😉
Getting your nsec compromised shouldn’t make you lose all your followers.
We need to decouple private keys and identity. Private keys should never leave the device that generated them.
Anyone working on the equivalent of a SAFE multisig for Nostr?
I know about Frostr. Is anyone using it? Any other explorations?
View quoted note →
well done
in the case of a leaked nsec, the easiest way to prove it is just drop the nsec
#ShoeOnHead!
@Amethyst , it would be nice seeing in the UI the last time a npub profile has been updated for cases like this one.
🫂
cc. @Vitor Pamplona
THIS ACCOUNT HAS BEEN COMPROMISED
Please unfollow this account and follow our new account @Coinos
View quoted note →
yup
Nostr signers . The copy paste is the weak point , if only human brain can memorise that key .
The good way would be generate your seed phrase ( mnemonic) on offline device to prevent any network exposure
lol #coinos is toast!
THIS ACCOUNT HAS BEEN COMPROMISED
Please unfollow this account and follow our new account @Coinos
View quoted note →
mark