A Brief Introduction to Nostr


“A milestone for open protocols…” This is how Jack Dorsey, co-founder and former CEO of Twitter, announced the arrival of the Damus app, a Nostr protocol client, in the App Store/iOS.

Nostr has generated buzz in developer groups, bitcoin addicts, and a crowd very suspicious of their own shadows. The reason: Nostr brings an alternative to commercial social media that, in the words of its creators, would be “truly censorship-resistant.”

But Nostr isn’t a new social network. Nostr is a protocol, something more like the web (HTTP/S) and email (IMAP/SMTP) than Twitter or Instagram.

In practice, Nostr is a foundation on which developers build applications. Its main differentiator is the authentication system, based on cryptographic keys. Experts praise the simplicity of the protocol, which in theory facilitates the development of apps.

(Hold my hand and come with me because now things get a little weirder).

To create a profile/an identity in Nostr, you need to enter or create a pair of keys:

Both keys are jumbles of letters and numbers. It is like that code from Nintendo’s virtual network, only (much) worse.

Want to follow me on Nostr? Search for npub1wa406lmdvfctavg3qgwauwrg228ylvskcyj0prfh48e0xwv6aensyv5n87.

Yeah, I know.

Three screenshots of different screens of Damus app for iOS.

With your private key, you can log into any app and feel at home with your content and connections.

Another difference of Nostr to conventional social networks is that the structure is based on “relays,” as if they were “nodes” in a peer-to-peer network.

“[Relays] allow Nostr clients to send them messages, and they may (or may not) store those messages and broadcast those messages to all other connected clients,” says Nostr.how, a good interactive Nostr tutorial.

In Nostr.watch you can see the active relays in real time and details such as latency and country of origin. At the time of writing this there are 282 active relays worldwide.

I created my profile in the Damus app and then logged into Iris, a web application (see my profile). And… it works!

When I logged into Iris, I could see the system communicating with the relays — my posts didn’t appear immediately. In one corner of the screen of both apps, Iris and Damus, you can see the number of connected relays.

A screenshot of Iris, a web app for Nostr.

Both apps are very reminiscent of Twitter, with a timeline, posting box, and direct messages, which here are encrypted end-to-end.

It doesn’t have to be this way, however. Being a protocol, Nostr allows the creation of very different apps on top of it.

On this site and in this list are different apps based on the protocol, such as Jester, a chess game, and Alby, a bitcoin wallet.

Nostr is a kind of “end-of-the-world protocol,” designed for extreme situations where absolute mistrust reigns between those involved — users, relays, and app providers.

If in Twitter you have to trust Twitter, and in Mastodon, the administrator of your instance/server, none of this is necessary in Nostr. The protocol is truly decentralized and its using, although connected, is independent of other parties.

Even the identity verification system, called NIP-05, is independent of external validations. It is done based on DNS records.

To the creators and promoters of Nostr, the great appeal is an almost full resistance to “censorship”. We know where this conversation is taking us, and… it’s not a good place.

Despite the support of influential people in the industry, like Jack Dorsey, Nostr sounds at the moment like something too complex for mass adoption — far more complex than Mastodon, for example — and without much appeal to normal people who just want to have a laugh on Twitter and look at pictures of celebrities, food, and friends on Instagram.

Much of the complexity lies in the pair of keys thing. Which is not new; This is a recurrent thing among those who work with servers and development. Although they have many advantages, it’s risky and difficult to understand for those who are not in the business.

It is no wonder that commercial apps often use abstractions, such as login and password, to make it easier for more people to use them. If people can’t keep passwords, imagine a kilometer-long pair of cryptographic keys?

My bet? It might work, but it will be niche, like other creative little protocols that pop up from time to time, such as Gemini, an alternative to the web that looks like the web of the 1990s.

When Social Media Moderation Becomes Our Responsibility


Being in the fediverse today is a familiar and weird experience at the same time.

On the surface, it’s all very similar to Twitter and other social networks. Yes, the system for following/finding someone is kind of clunky and there are unique features and conventions there, like the “content warning” and the emphasis on image descriptions. These details are quickly learned, though.

Things can get (and do) more complex.

Time and again, differences emerge between instances (themselves, a difficult concept to explain) and groups of users, such as long-time users and newcomers coming from Twitter. And although the power dynamics are good, better than those of commercial alternatives — decentralized, with distributed power — this doesn’t mean that the architecture is ready or does not need adjustments, improvements.

One obvious, long due is to give more transparency to instance blocking.

Instances, or communities, have the power to block each other. And they, or most of them, make use of this power. Which is great: the social network Gab, that one for white supremacists? It’s Mastodon under the hood, which doesn’t mean much because almost all other instances preventively block it.

So far, so good. The problem is that reporting these blocks is right now at the discretion of the instance administrator. There is no way for anyone to know about the blocks done on their behalf, nor about the blocks of other instances to theirs.

And, at the very least, Mastodon should notify members involved in cross-instance lockouts. This helps users to be aware of the administration’s actions and make informed decisions to stay or migrate instances. (Migration is a smooth process and you don’t lose followers by doing it.)

A practical example. In late 2022, Brazilian instances blocked another, called Ursal. Some administrators, such as Donte’s and Bantu’s (both in Portuguese), published posts justifying the decision. We cannot tolerate certain abuses, and we are all grown ups with limited time. The omission of the administration of one instance requires the administration of other instances to moderate other members about basic civility practices. This isn’t sustainable, and it’s also pretty lame.

Nothing wrong with blocking instances with bad admins. The problem is that I only found out about the blocking when it was already in effect. The account for my Portuguese-written blog was at Donte and, as much as I now agree with the admin’s decision and praise his hard work, this decision affected the relationship I had with people at Ursal, who, like me, were not aware of the troubles of Ursal admin. We were taken by surprise with the breakdown.

When I migrated my blog’s account to its own instance, re-establishing contact with Ursal, someone from Donte questioned me:

Is Ursal blocked on Donte? I had followers and followed people from there. Does this mean that our communication is no longer possible?

Yes, it means exactly that.

A global and automatic notification system would avoid this kind of unpleasant surprise. There’s nothing like that on Mastodon roadmap, although a (great) feature suggestion was made on GitHub two years ago.

Nevertheless, despite everything, the decentralized fediverse/Mastodon model has been better than Twitter’s centralized one. If on Elon Musk’s network the abuses run wild and are only stopped at the threshold of absurdity (if ever), here on the other side, with ordinary people in charge, dialoguing, playing politics, making mistakes and learning, and trying to get it right, the environment in general is more harmonious, more pleasant.

Rushes like this involving Ursal are inevitable. We are, after all, people trying to find a common denominator to live together in an environment where communication is limited, one to many, unnatural. With patience and good will, however, we will go far.

Was this Brazilian major app bypassing Apple's location privacy on iOS?


One of the biggest Brazilian apps/startups, iFood, was peeking at iOS users location when it should’ve not.

A reader of Manual do Usuário (my Portuguese-written blog) noticed the glitch/bug while using iOS 16.2.

iFood, Brazilian largest food delivering app evaluated at USD 5.4 billion, was accessing his location when not open/in use, bypassing an iOS setting that restrict an app’s access to certain phone’s features. Even when the reader completely denied location access to it, iFood’s app continued to access his phone’s location.

Two screenshots showing iFood accessing iPhone location even when denied to do so.

We got intrigued: how was iFood getting away with this?

An educated guess was revealed by iOS 16.3 release notes, launched on January 23th. Apple mentions a security issue in Maps in that “an app may be able to bypass Privacy preferences”. It’s CVE-2023-23503, submitted by an anonymous researcher and, so far, “reserved” in CVE’s system — which means details are pending to be published.

The reader who noticed iFood’s misbehavior said that afterwards, he reseted his iPhone and that apparently solved the issue. He promptly updated to iOS 16.3 as soon it was released. So far, he haven’t notice anything unusual.

I contacted iFood’s press team to get a word about this issue. They received my request, asked for more details, but haven’t provided a statement so far. When they reply, I’ll update this post.

Update (February 1st, 17h35): iFood just sent a statement. Here it goes (my translation):

iFood reinforces that data security is a priority in its business and in the relationship with consumers, deliverers, and restaurants. The data collected is used only for the purposes set out in our Privacy Statement.

In this case, after careful analysis by the technology team, no code was identified in the iFood application that allows access to the user’s location without authorization, but even so, the company remains available to clarify any questions on the subject or any alleged failure, in order to contribute to bringing more security to the platform.

Present in over 1,700 cities in Brazil and a reference in online delivery, iFood constantly invests in security, technology and monitoring to identify and correct possible flaws and continuous improvement of the application.

My Job at Risk, Thanks to ChatGPT


A few centuries later, I feel today what British craftsmen and small producers must have felt when they saw the first machines arrive and the first factories open during the Industrial Revolution.

A new technology, generative artificial intelligences (AI), poses a threat to intellectual jobs that until recently — about five years ago — seemed safe in the face of overwhelming labor automation.

Not anymore. AIs such as ChatGPT, the LLM (large language model) type, are capable of generating coherent original texts from short prompts written by humans.

Like all revolutionary technology, it seems like magic. And it is no coincidence that I return to the same topic in less than two months. ChatGPT was launched five days after I published that first column.

Instead of spending a few hours on research, writing and editing to publish this text, for example, I could have asked ChatGPT to write something about the threat of AIs to those in the writing business. Very meta — and tired; I will spare you that.

The result would not be the same, but it would probably be “good enough”. We know, not from today, that “good enough” is often… good enough for a lot of people. And being cheaper and faster to produce, it is hard to resist.

Today, generative AIs are still a kind of curiosity, a topic for dazzled texts on LinkedIn, creative tests, experimental solutions. The potential, however, is there, wide open.

Microsoft, one of the main backers of OpenAI, the company behind the most advanced AIs (besides ChatGPT, it also owns DALL-E 2, GPT-3, and Codex), announced last week that it’s offering OpenAI services in its cloud solution and already offers features based on them in some commercial products, such as Github Copilot and Microsoft Designer. Rumors suggest that ChatGPT will soon arrive in Bing and productivity applications (Word, Excel, PowerPoint, etc.).

In journalism and writing for the web, the potential is explosive.

For years, some newsrooms, such as the Associated Press, have been using robots to produce simple texts, such as news on company balance sheets and sports results.

With the new generative AIs, this practice changes levels. Until now, the texts written by robots were sort of a logical, understandable “script”: take this data and put it into a template. With ChatGPT, however, the robot seems to gain imagination and the logic gets lost in complex and opaque algorithms.

The result is also of a different magnitude. ChatGPT creates arguments, detects consensus, discovers controversies. Although lacking awareness, it simulates one. It is “good enough.”

CNet, a US publication covering technology, began testing such an AI last year in the worst possible way: with little transparency.

Someone found out, and under scrutiny, basic errors were discovered in the nearly 80 published robotic texts. A widespread failure: of the AI and of the human being (supposedly) responsible for checking and editing the artificial text.

These are mistakes that perhaps the next version of GPT will not make. The pace is breakneck.

In the journalism domain generative AIs may not be ready for production, but in other less demanding ones they already do very well, thank you: quick responses to emails, answers to search engine queries, social network posts, top-of-funnel content for institutional blogs.

You don’t have to do much research to come across dozens of startups trying to get ahead in this new gold rush — trying to sell shovels to the prospectors who, in the end, will be using them to dig the graves of their own jobs and those of others.

When these AIs are good enough, job openings are reduced and the assignments of those left over change. From writers and editors, for example, we all become “robot babysitters”, correcting blatant (for humans) errors that may slip by in the artificial text and that we, of course, manage to catch. (Because if there is one thing we are good at, it is failing; even in this the AI reproduces us.)

Soon, my routine will gain one more demand: to prove myself flesh and blood in a purely digital environment, full of “rivals” who do not sweat, get tired, get sick, and have no mood swings. We are playing in the opponent’s camp. It is an inglorious struggle.

Unlike the 18th century British Luddites, I don’t even have a machine to wreck. The generative AIs that threaten my craft exist in the cloud, that ethereal concept, mere euphemism for “big computers in controlled warehouses far away from us”. No gunfights against robots that look like Arnold Schwarzenegger, forget about it. The machine revolution will be discreet.

And unlike what the best utopias predicted, we won’t even be able to dedicate ourselves to the arts, because generative AIs also already produce illustrations, paintings and photos. They even win contests.

Perhaps our fate, the fate of humanity, is that we will all become Simpsons grandpas screaming against the cloud. What a pathetic end.

A Quick Look at Ivory, Tapbot's Mastodon App


From the same developers of Tweetbot, here comes Ivory: a marvelous Mastodon app for iOS.

Ivory is still in alpha, i.e., in testing and (supposedly) with some rough edges. Last Saturday (14), I got access to this test version, which I now present here.

The good news is that Ivory is very reminiscent of Tweetbot and, at the same time, assimilates well the peculiarities of Mastodon. It couldn’t be different: its base is the same as Tweetbot’s and Tapbots’ craftmanship in making great apps is well known.

When you open the app, you see the main timeline. Under the posts you see the typical action buttons — reply, retweet (here called “boost”), and favorite —, plus two “internal” buttons — the share sheet and a configuration button that brings things like bookmarks, translation, and post and profile details.

Gestures, inherited from Tweetbot, are present:

Three screenshots from Ivory showing home screen/timeline features.
Screenshots: Ivory/Rodrigo Ghedin.

One cool detail about Ivory is that it features Mastodon’s timelines — something that, weirdly, the official app has chosen to leave out. Unlike Twitter, where there is only one, Mastodon offers three:

At the bottom of the window is a main menu with five icons, two of them fixed (timeline and replies) and three customizable. To change one of these three, just hold your finger on it.

The areas available there are quite varied. The highlights are the bookmarks (a kind of “private favorite”, to save posts without notifying/alerting their authors) and the statistics, which brings a series of data about your behavior while using Mastodon.

Three screenshots from Ivory showing details of the main menu (bottom of the screen) and the timeline selection (Home, Local, and Federated).
Screenshots: Ivory/Rodrigo Ghedin.

The post button is floating. You can drag it to any of the four corners of the screen.

When you tap it, it displays the composing screen. Again, all the basic options are there, even the four levels of visibility that Mastodon offers.

Not everything is perfect and up to date so far. Ivory does not yet include editing posts, a feature that has existed in Mastodon since March 2022, nor the creation of posts with content warning.

Two screenshots from Ivory showing the screen for creating/editing new posts.
Screenshots: Ivory/Rodrigo Ghedin.

Other features are absent, such as support for instance-specific emojis. All of these are on the developers’ radar. On Ivory’s website there is a list of these pending issues (“Current Roadmap”) which they promise will be fixed in the near future.

In the settings, you can add other accounts, change the behavior of the application and how it handles Mastodon features (for example, open all content warnings by default) and even customize details of the experience, such as the sounds (very tasteful, but I choose to disable them) and the app icon.

Three screenshots from Ivory showing the app settings, including the app icon selection.
Screenshots: Ivory/Rodrigo Ghedin.

Ivory is still in the “alpha” stage, but it doesn’t look like it: in two days of use, I didn’t run into any errors and the app worked very well.

No word yet on when Ivory will be released. The recent breaking of Twitter’s API for third-party apps, including Tweetbot, should speed up the release of Ivory.

On Mastodon, Paul Haddad, one of the Tapbots developers, announced that Ivory’s development has gone into “hyper mode” in order to resolve the 3-4 mandatory fixes before submission to the App Store. On Saturday (14), Ivory’s profile reported that an early access version is expected to be released by the end of January.

Ivory will be paid, probably by subscription — just like Tweetbot. If the same pricing as for the Twitter app is used, we are talking about USD 0.99 per month or USD 5.99 per year.

A macOS version of Ivory is also being developed. It is not yet available or in testing and there is no release date planned.

Mark Zuckerberg Has Never Done Anything Original and I Can Prove It


Young, billionaire, CEO and owner of majority voting power of a global company that owns apps and social networks used by billions of people every day. I am talking, of course, about Mark Zuckerberg.

Those who read this resume and know Zuck’s story might imagine a modern, digital version of the great inventors of the past. A creative, innovative brain, a living legend among us. The Einstein of this generation, the Nicolaus Copernicus of the 21st century who saw before everyone else that our lives would revolve around connected screens.

Except that this is not the case. Sorry to say, but Zuck is a good businessman and an excellent copycat. And that is all. He is no visionary.

For some years now, Zuckerberg’s empire has been under real threat for the first time. It’s a modern version of the Opium Wars that set Britain empire on a collision course with a closed and powerful China in the 19th century. Only now the opium is different: it is the endorphin shot released by likes and 15-second viral videos.

When he saw himself losing the Gen Z to TikTok, Zuckerberg reacted as usual: by copying. He copied TikTok right out of the box. What are the Reels if not a poor copy of TikTok, “please don’t upload videos from TikTok to Reels”?

Like any good warlord, Zuckerberg acts on several simultaneous fronts and tries to anticipate the next moves of his 5D chess game. While he tries to contain the advance of the Tiktokian troops on the current battlefield, he spends billions of dollars on his nucelar weapon: the metaverse.

It would be fascinating if it were new, but the metaverse is just the latest in a series of attempts to make virtual reality a thing, a technology that sounds interesting on paper but has been making human beings puke and/or get a headache since the 1980s.

Even the name is not original. Zuck stole the word “metaverse” — to the point of changing the name of his company to Meta — from a Neil Stephenson novel that he must have read as a teenager and thought was awesome.

(Indeed, a black and oriental samurai who is also a super hacker, a description of Hiro Protagonist, the protagonist of Stephenson’s Snowcrash, is an irresistible character.)

Two of Meta’s three main apps were bought — that’s where Zuckerberg’s business abilities comes in. Instagram and WhatsApp were the biggest bargains in tech business history. They would have been threats to Facebook itself had they not been acquired while there was still time.

When he tried the same thing with Snapchat, another threat that emerged in 2013, Zuck was met with something new: a “no”.

The refusal led him to desperate measures, and it was then that he discovered the power of copy, although not at first.

Before he ended Snapchat’s growth by copying the stories feature on Instagram, Zuck tried his luck with dedicated, uninspired, and forgettable apps like Poke, Slingshot, and Bolt. (If you don’t remember those, don’t blame yourself.)

Incidentally, it’s curious how Zuckerberg’s history of failed copies seems to be largely ignored.

Besides the failed copies of Snapchat, in a quick, off the top of my head list, I recall that he has already tried unsuccessfully to copy:

Facebook, by the way, was a copy made in earlier stages. In 2003, the Winklevoss brothers approached a bright young programmer in their dorm room at Harvard University to help them with a project to create a social network for college students. The young man was Zuck.

He liked the idea, but not the partners, so he decided to bypass the Winklevoss and go for it by himself. Typical Zuckerberg.

But those who think that Facebook was Mark’s original sin are wrong.

Before this, he had caused controversy at Harvard by launching FaceMash, a site that took pictures of students from the university’s central directory and put them side by side for others to choose the hottest people.

It was a copy of Hot or Not, launched three years earlier by two Silicon Valley engineers who had made a habit of rating the beauty of random women on the street, as they were walking pieces of meat, and did not always agree with the “grades” they assigned to them.

In this incident, Zuck almost committed the single creative act of his entire career. The original idea of FaceMash was to compare the students’ photos with those of animals.

In his blog, he wrote at the time:

9:48pm. I’m a little intoxicated, not gonna lie. So what if it’s not even 10pm and it’s a Tuesday night? What? The Kirkland facebook is open on my computer desktop and some of these people have pretty horrendous facebook pics. I almost want to put some of these faces next to pictures of farm animals and have people vote on which is more attractive.

Ops, maybe… not even this? He proceeded:

It’s not such a great idea and probably not even funny, but Billy comes up with the idea of comparing two people from the facebook, and only sometimes putting a farm animal in there. Good call Mr. Olson! I think he’s onto something.

A little over two hours later, Zuck announced on the same blog that he was working on the project, but had left out the animals.

Discuss @ Hacker News.

« Previous 5 of 10 Next »