Episode Transcript
[00:00:00] Speaker A: Nobody uses PGP encrypted email anymore. Everybody moved to Signal or Simplex. And no sane person will undertake the massive effort to build a web of trust from the ground up just to verify a few downloads a year. But if a socially active network of cryptographic key pairs happens to exist all.
[00:00:24] Speaker B: Of a sudden, utility massively increases and.
[00:00:28] Speaker A: The effort of building a network of trusted developers goes down. Since trust is a problem of social nature, there is no better way than deriving it from a naturally social context. Keybase got the idea right, but Nostr is uniquely positioned to solve this problem. Even your mom can now cryptographically verify a downloaded app.
The best in Bitcoin made Audible I am Guy Swan and this is Bitcoin Audible.
What is up guys?
[00:01:21] Speaker B: Welcome back to Bitcoin Audible. I am Guy Swan, the guy who has read more about Bitcoin than anybody else you know. This show is brought to you by the Bitkit Sovereign on Chain and Lightning Wallet on mobile. It is a fantastically designed and simple mobile wallet. If you were looking one, looking for one that has like really good integration and is just super intuitive, Bitkit is a fantastic one to check out.
[00:01:47] Speaker A: And the Jade plus hardware wallet. If you have not seen this baby.
[00:01:51] Speaker B: Check out my unboxing video on Twitter and Nostr and YouTube. I've had a number of people say they really liked it and it was really fun to do, but you can get 10% off with code Guy G U Y at checkout link and details.
[00:02:06] Speaker A: Are right there in the description. If you just scroll, scroll right down.
[00:02:09] Speaker B: Just like kind of lift up the page on your mobile, all those details, all those deets are right there. All right, we got a fantastic little article. This is about Zap Store and why it is. And I don't mean it's like about Zap Store the project. I mean it kind of is about Zap Store the project, but they don't mention themselves. This is written by Zap Store or the developer of Zap Store. But it's about the idea of decentralizing the App Store itself and what the challenges are that have prevented this from being a successful thing in the past. Why you have not been able to verify or attest to the integrity of a direct download or a direct payment from a developer or a company or.
[00:02:56] Speaker A: A server, whatever it is.
[00:02:57] Speaker B: And this is why you have these giant centralized platforms essentially being used to.
[00:03:03] Speaker A: Band aid over to duct tape over this enormous problem of authentication and, and.
[00:03:08] Speaker B: Payment and trusted sources of information to be able to cryptographically know you are downloading the right thing from the right.
[00:03:16] Speaker A: Person, but that all the pieces of.
[00:03:18] Speaker B: The puzzle that you actually need to.
[00:03:21] Speaker A: Make this possible and to do those.
[00:03:23] Speaker B: Seemingly massive tasks to accomplish that is.
[00:03:27] Speaker A: Conveniently provided by default thanks to Nostr and Bitcoin.
[00:03:33] Speaker B: So let's dig a little bit more into the specifics of the problem and why it is that Nostr and Bitcoin.
[00:03:40] Speaker A: May change the structure and nature of the very networks by which we obtain all of our content and applications.
[00:03:49] Speaker B: So with that introduction, let's go ahead and jump into today's article and it's.
[00:03:55] Speaker A: Titled Can Nostr Fix App Distribution?
Buy Zap Store There are four angles from which I want to discuss this discoverability, security, reputation, and monetization.
The App Store model, a curated catalog of applications, addresses these in various ways and is by far the most common distribution method. Google Play Store and Apple App Store lead the pack with around 95% market share outside of China, along with other Android stores, Amazon Store, Samsung Galaxy Store and the Microsoft Store. They are the major proprietary closed source stores. They control every link in the distribution chain. Open source stores work a bit differently. The store UI can manage apps from multiple repositories for the most part though they are used with the default 1F droid for Android with their official repo Snap ubuntu, Linux with Snapcraft, FlatPak for Linux with Flathub. App stores are the only realistic method to distribute applications to humans at scale. But current implementations have important shortfalls. They are all in varying degrees, trusted third parties offering convenience at the expense of sovereignty in different ways.
Discoverability, high quality search, trending lists and recommendations are important factors for app discovery. The main stores are tightly integrated with their respective operating systems, so they are the user's default go to. This creates a strong incentive for developers to publish there, and this results in a rich app ecosystem.
But centralization has its problems. The algorithms of these stores may prioritize promoting content, displaying ads, or making it difficult to discover niche apps they regularly censor due to state regulations and corporate agendas or just for some random reason. The iOS App Store is the most problematic of all. There are no alternative ways of installing apps other than going through tedious hoops. The recent third party app Store changes in the EU is a complete larp. Marketplaces must still get permission from Apple, and only a single version of an app across different stores is allowed. Open stores do not censor and anyone can add their own repository. But this extra step also hurts discoverability.
One can of course find apps outside the realm of an app store, for instance from links shared on social media. I'll further discuss the direct download approach in the security section. Furthermore, major stores are split in countries and regions due to legal or regulatory requirements, so apps available in one area may be invisible in another. Enabling localized content may improve discoverability because of the increased cultural relevance.
[00:07:11] Speaker B: An app store on Nostr, on the.
[00:07:13] Speaker A: Other hand, could leverage borderless social connections, which is way more relevant than a geographic silo. Discovering new apps could become more like getting personalized recommendations from your friends, as opposed to browsing a generic list created by minions at a faceless corporation.
Other handy features such as Nip51 could bring curated app lists to One Click Bulk Install a la nainite, both as personal backup or as recommendations Security Here I'd like to talk about a few key aspects separately.
Transmission security Checking file integrity via digital signatures to prevent tampering Application security Scanning packages for malware and enforcing OS level runtime security Preventing private information or metadata leakage Transmission security Apple and Google prevent in transit attacks through public Key infrastructure or pki. They provide developers with signing certificates in addition to controlling app store front ends, domains and file servers. On Android. Signing keys are pinned upon first installation and are enforced on all subsequent updates along with a mechanism for key rotation. This is the SSH model, also known as tofu Trust on first use While it's possible to add custom repositories, F Droid builds from source tarballs, hosts and self signs all but a few packages.
[00:08:55] Speaker B: In their official repo.
[00:08:57] Speaker A: This has an important downside. You need to trust them not only on the initial install but on every single update. F Droid does not build non free software and has a host of other issues. Izzy Ondroid is probably the most popular F Droid alternative repository focused on providing a curated list of APKs excluded from F Droid Official. The main difference between these repos is that Izzy hosts APKs signed by developers. Obtainium is closer to the Izzy approach. It offers no curation but removes one trust layer as packages can be fetched directly from developers. Source Repositories Signature verification is not yet implemented, so for now you need to fully trust the host. Mostly GitHub run on Microsoft infrastructure app Verifier Is the proposed integration a step in the good direction, but yet another centralized solution relying on certificate hashes rather than developer signatures. It is common especially among open source developers to use PGP to ensure artifact integrity preventing attacks such as phishing, domain hijacking or malicious repositories. PGP relies on a Web of Trust to verify the authenticity of signatures. It's a good idea, but far from perfect in practice, as it's very challenging to determine trust levels transitively. There is no purely technical solution to the problem of trust, but some choices in the design and implementation of PGP make it even harder. I'm a developer and regularly get software in this way. I still find it challenging. Obviously obtaining a hash or fingerprint sitting next to the binary makes no sense, so I usually pull keys from one or two supposedly reputable key servers. This match some known developer's fingerprint Fingerprints are not the full PGP key.
[00:10:59] Speaker B: While it's probably okay, key servers must.
[00:11:03] Speaker A: Be trusted, and there have been reports of malicious actors duplicating short key IDs in the wild. The optimization of security at the expense of user experience leads most users to choose insecure tools over secure ones, so PGP unfortunately did not reach any significant level of adoption. Keybase is a very interesting attempt to improve this situation by mapping users social identities to PGP encryption keys. Their focus was scattered messaging, file sharing, etc. And then the team was acquihired by Zoom in 2020. Development seems to have virtually stalled ever since.
Could Nostr's web of trust be the missing ingredient in the secure transmission of packages?
Nobody uses PGP encrypted email anymore, everybody.
[00:11:59] Speaker B: Moved to Signal or Simplex, and no.
[00:12:01] Speaker A: Sane person will undertake the massive effort to build a web of trust from the ground up just to verify a.
[00:12:08] Speaker B: Few downloads a year.
[00:12:10] Speaker A: But if a socially active network of cryptographic key pairs happens to exist all of a sudden, utility massively increases and the effort of building a network of trusted developers goes down.
Since trust is a problem of social nature, there is no better way than deriving it from a naturally social context. Keybase got the idea right, but Nostr is uniquely positioned to solve this problem. Even your mom can now cryptographically verify a downloaded app. Let's imagine that Craig Raw's INSEC was compromised. Once aware, he could use Nip41 to perform a key rotation and make the fact public to his Nostr socialgraph. This action would occur relatively fast, circumventing the need for updating key servers and waiting for global synchronization, which which might never happen in pgp. A single breach can affect entire branches of the web of Trust tree, potentially causing widespread damage with very delayed detection.
Indexing packages for discoverability vastly improves UX and can be performed by any network participant since these are merely suggestions and packages are always signed and verified.
Application security both The Apple App Store.
[00:13:41] Speaker B: And Google Play Store have their own.
[00:13:43] Speaker A: Procedures for reviewing apps before they become available to users.
[00:13:48] Speaker B: They involve human and automated processes and.
[00:13:51] Speaker A: Aim to ensure app quality, security and.
[00:13:54] Speaker B: Compliance with their policies. This approach is not foolproof, though some.
[00:13:59] Speaker A: Malicious apps can still slip through the.
[00:14:01] Speaker B: Cracks, and when it does, it's pretty bad.
Note from craig raw January 6th there.
[00:14:08] Speaker A: Is still a scam Sparrow Wallet app in the Apple App Store despite myself.
[00:14:13] Speaker B: And others having reported it weeks ago.
[00:14:16] Speaker A: Worse, you have to install it to report it. Always go to the wallet's website to.
[00:14:21] Speaker B: Find the link to download it. App stores will not protect you.
[00:14:25] Speaker A: Note from Oscar P Yet another Bitcoin theft the the Apple app store for iOS has published a range of fraudulent Bitcoin Wallet apps. My friends succumbed to the Electrum Wallet management app, typed their seed phrase in and money gone. Details follow here.
Worse yet, they give the illusion of.
[00:14:46] Speaker B: Security these big tech backed proprietary walled.
[00:14:50] Speaker A: Gardens pose additional security risks due to their opaque nature. Corporations are the low hanging regulatory targets in a world of ever increasing state surveillance. Never forget, trusted third parties are security holes. Open stores appear to be more transparent, but still require users to place significant trust in them. FDroid official repo builds from source tarballs, so you need to trust the developer F Droid and the transmission of data between them.
[00:15:26] Speaker B: Something similar happens with flathub, which in.
[00:15:28] Speaker A: Addition hosts binaries packaged by third parties. Yet another layer of trust as these community run projects lack resources.
[00:15:38] Speaker B: Guess what fixes this?
[00:15:39] Speaker A: And just like with direct downloads, you also need to trust binaries like an APK to correspond to the source files unless they use reproducible builds like Signal does. In terms of malware and privacy protection, Android's Play Protect checks APKs when installed from non Google Play sources. Open stores provide scanning via tools like VirusTotal, Exodus Privacy and Blacklight, but the user can't really pick and choose. On Nostr, a market of DVMs specialized in app security auditing could arise as a reputation mechanism for developers, as tools for end users, or both.
Once apps are installed, privacy and security become an operating system level concern. Sandboxed execution and varying degrees of permission controls to file system, peripherals, network and so on are used to mitigate further security issues. An app that does not use the Internet should not be granted access to it. Firewalls like Little Snitch or OpenSnitch for Linux are examples of third party software that is crucial for maintaining security and privacy. Craig Rall is a developer that I trust, but after configuring Sparrow to work completely offline node in my LAN disabled Mempool, fee estimation, etc. I was surprised to find an HTTP request to sparrowwallet.com with OpenSnitch, which I immediately denied. Is Craig rugging my hot wallet? I went straight to the source code. Turns out it was a simple version upgrade check. So yes, these tools aid us immensely in our Strive to verify, not trust Privacy all app stores know the exact set of programs you use. Apple and Google in particular have a double incentive to harvest this data, on the one hand to produce accurate recommendations and on the other hand to sell it to data brokers. Privacy would be significantly improved by making direct downloads easier to verify by anyone, incentivizing the use of privacy, respecting FOSS and switching to trusted DVMs for recommendations and security audits.
Reputation Even if an app is perfectly safe, is it worth your time or money? App stores allow users to review the apps they use. This has its limitations as ratings and reviews can be easily gamed in these centralized systems. Having a decentralized review system can actually make it worse. Spam and Sybil attacks are relatively cheap unless the view of the network can be trusted. And that is exactly where nostr comes in. Nip 32 reviews Constrained to a pub Key's web of trust would be the perfect fit. This type of information is not only useful for other users, it also serves as a feedback mechanism for developers. Many of them derive value exclusively from reputation, but there is a better way.
Monetization options for charging money are available.
[00:19:04] Speaker B: On the main stores, but the bullies want their cut.
[00:19:07] Speaker A: Apple and Google take hefty 15 to 30% commissions on sales and charge developers additional fixed fees. Virtually all users and developers need to be kyc'd as they are only allowed to pay by digital fiat means and are forced to use archaic SMS verification. Apart from the privacy concerns, this excludes billions of unbanked users from buying paid apps and unbanked developers from even publishing them in these stores. Interestingly, it also marginalizes autonomous AI systems that were tasked to publish an app. A vast majority of the applications published on big stores are free, as in free beer, with a huge percentage of.
[00:19:55] Speaker B: Them relying on advertising exacerbating the attention problem.
[00:19:59] Speaker A: Open stores offer no monetization options other than a donate button at best. FOSS developers usually resort to frictional and unreliable donation solutions. A lot has been written about the issues with open source funding. I can't reach any other conclusion than Bitcoin and Nostr. Fix this, removing the middleman and letting users pay developers directly via Zaps Nostar, Wallet, Connect, or other similar primitives will fundamentally change the way apps are funded and distributed.
[00:20:35] Speaker B: Note from Will JB55 imagine a world where we only had app stores for.
[00:20:42] Speaker A: Software distribution, where you need permission to ship software to your users. We're moving toward this and it's pretty sad.
[00:20:51] Speaker B: It doesn't have to be like this.
[00:20:55] Speaker A: Support this is an innovative feature. Given no app store has introduced post sales support, likely due to misaligned incentives, it's the real genuine kyc. Embracing the removal of middlemen between users and developers can open up new possibilities like paid support, bounties, feature request prioritization, and even new business opportunities.
Moving forward in the longer term, AI could drive a Cambrian explosion of software creation.
Massive improvements to efficiency tend to also cause qualitative changes. The dynamics of app distribution might look.
[00:21:44] Speaker B: Totally different than today.
[00:21:46] Speaker A: We might be remixing our own apps like we do with music on Stemster and sending back value to all contributors.
App discovery mechanisms will require more fine tuning and review systems to be more trustworthy than they are today. Scams and malware will multiply. Dangerous software will slip through the cracks of centralized stores due to the sheer volume of submissions and the complexity of detecting all potential threats. Finally, with so much supply and demand from so many different parts of the globe, an open, borderless, neutral medium of exchange is the logical answer to monetization.
Apps are fundamental tools in our quest for self sovereignty, draconian regulations and privacy. Invasive practices will accelerate properly establishing trust. Sourcing and verifying apps will become more important than ever. Most nostr usage at the moment is for social commenting, certainly not as a.
[00:22:49] Speaker B: Network of package maintainers, but there will be an increasing overlap between the two.
[00:22:55] Speaker A: Can trust scores emerge from web of trust and other primitives? Can Nip94 replace manifest files? How do we minimize trust while maximizing UX? What else would be necessary to disrupt the roughly 95% big tech market share? As an app developer myself, I had only superficially been exposed to these issues. App distribution is a fascinating rabbit hole I recently fell into and I started prototyping the solution I want to see in the world. A lot of questions remain. I don't have all the answers or even the right questions, but I feel there are enough gaps and shortcomings in the current way things are and significant room for improvement.
[00:23:46] Speaker B: This is the thing that I think is so underestimated about what we are.
[00:23:54] Speaker A: Building here, about what is being built.
[00:23:55] Speaker B: In Noster, in Keat and pubkey and I put these things together because I think we're looking at a set, a subset of tools for building an entirely new infrastructure. And there's a couple of really important elements that, that the author, the Zap store guys, I don't know who the.
[00:24:19] Speaker A: Zap Store person is and this is not signed with anything else.
[00:24:23] Speaker B: So I'll investigate a little bit after this and maybe have the link and details in the show notes.
[00:24:27] Speaker A: But it is really hard to understate how important it is that we have a key based system that is intuitive to use for the user, that naturally creates its own web of trust.
[00:24:48] Speaker B: This has been a problem of the.
[00:24:50] Speaker A: Cypherpunks, of the privacy community, of the.
[00:24:53] Speaker B: Security community for ages.
[00:24:56] Speaker A: The authentication problem on the Internet without a trusted third party, without a trusted database, without a centralized verifier telling you what or who it is that you.
[00:25:09] Speaker B: Are contacting or downloading, that problem has had a staggering uphill battle for a long, long time.
[00:25:19] Speaker A: And it has just been papered over by a bunch of giant centralized platforms.
[00:25:26] Speaker B: They've simply provided the service rather than building the tools that make it a.
[00:25:31] Speaker A: Make us able to do that.
[00:25:33] Speaker B: And having that layer, having that tool is crazy.
I love that he brings up Keybase specifically because I completely agree that Keybase had the right idea, but they set themselves up in a way that they.
[00:25:52] Speaker A: Were trying to solve the web of.
[00:25:54] Speaker B: Trust problem and to get PGP keys into everybody's hands problem first and kind of loosely creating a social atmosphere around it. I think kind of realizing that those things, those two things were connected and.
[00:26:09] Speaker A: That is the natural environment in which.
[00:26:12] Speaker B: You establish and grow trust and a reputation. And they were right. I even used Keybase for a little while. I thought it was a really cool idea, but it also kind of seems like they came about it or attacked.
[00:26:25] Speaker A: It from the wrong direction. People come to NOSTR because it's fun, because they can say what they want, they can say what they think. They won't be censored, they won't be shadow banned. They come because it's a better social environment, because it's a genuine social environment.
[00:26:44] Speaker B: That is one of the things that I think is lost on people is that one of the, a lot of what people are chasing right now is.
[00:26:50] Speaker A: Authenticity and they feel like they have been lied to over and over and.
[00:26:55] Speaker B: They are being lied to as to.
[00:26:56] Speaker A: What is authentic even on their social.
[00:26:58] Speaker B: Media platforms because the algorithms are just.
[00:27:01] Speaker A: Putting stuff in front of them to try to, to manipulate them, to control them, to do and be the social.
[00:27:08] Speaker B: Be in the social place that they are supposed to be placed in their.
[00:27:13] Speaker A: Interactions, their attention, how long they scroll on something, how long they pause to look at a video, which profiles they click on is literally being used against.
[00:27:22] Speaker B: Them to trap them on that platform, to sell them crap. And look at what happens. Look, look at all this stuff with usaid, people are desperate. They're trying to figure out why everything feels fake and it's because they've been lied to.
[00:27:39] Speaker A: All of these structures are in place literally to manipulate and control narrat narrative and opinion, who you talk to, who you see, which, which comments and which videos get put in front of you.
[00:27:52] Speaker B: We are in a massive system where.
[00:27:55] Speaker A: All of the users are a product.
[00:27:59] Speaker B: That is being drained of value, of attention and being pushed around by a.
[00:28:05] Speaker A: Whole bunch of different systems and networks that we are part a part of. And people are realizing this. People are waking up to the fact that they need to actually have a genuine social experience, that they're, they're looking for a space where they can speak their mind and where they have control.
[00:28:23] Speaker B: Where they can like selling it on people.
[00:28:26] Speaker A: When I have ever talked about Noster.
[00:28:28] Speaker B: And what I think is its most.
[00:28:29] Speaker A: Its greatest value and same with Keat and all of this stuff that we're.
[00:28:32] Speaker B: Doing, it's that they own it. They own their followers, they own their.
[00:28:37] Speaker A: Social graph, who they follow, their connections. You can get paid directly and immediately. That's another huge, huge one. But the result, the consequence of this.
[00:28:50] Speaker B: Because the only way to accomplish that.
[00:28:52] Speaker A: Is for people to actually own their accounts. So you create a simple key system. It's in the nature of the structure that keys had to be a fundamental.
[00:29:02] Speaker B: Part of it because it's the only way that authentication, signing and connecting to someone could ever be made independent, could ever be made in such a way.
[00:29:13] Speaker A: That you could still find or connect or know who you were talking to if you were going through a completely separate third party.
[00:29:20] Speaker B: But what that means, what that means.
[00:29:23] Speaker A: For a web of trust, for the.
[00:29:25] Speaker B: Fact that you can go to multiple.
[00:29:28] Speaker A: Different platforms and have the exact same.
[00:29:31] Speaker B: Developer, the exact same person that you are following and, or the project that you are following up there, and you know that it is signed and it is the exact same host, it's the exact same data from the exact same person and that this is just kind.
[00:29:47] Speaker A: Of built into nostr.
[00:29:48] Speaker B: It's just a feature of how it works, how it enables us to create our own networks and say what we want and carry our social lives around with us and own it. But then suddenly with those exact same tools and that Exact same distribution network you could find. Let's use.
[00:30:12] Speaker A: Let's use my.
[00:30:12] Speaker B: Let's use Pear drive for example, because I. This would be a really cool thing to try to figure out how to actually utilize. This is you could find my application.
[00:30:22] Speaker A: Signed by me or Hope or whoever.
[00:30:25] Speaker B: Has uploaded it, but my signature attesting.
[00:30:27] Speaker A: To this is the one that we are hosting.
[00:30:30] Speaker B: And just like with the Coracle web of trust thing, you can just know.
[00:30:33] Speaker A: That it's my account, it's followed by all the people that you follow or whoever in your social graph that you.
[00:30:39] Speaker B: Know is connected to me. So an impersonator is very easily spotted.
I just think about this, think about this.
That you can go to any platform, anywhere on the Internet, just assuming that we have a nostr world now, or just going by Nostrakeys and the fact that you, you know, my in pub on Primal or Domus or whatever, you take that you log in somewhere else. No matter where you go, whatever platform or where you are in the relay sphere, if you see a message signed by me or you see a link to or a pair key to a file that I have posted somewhere, you.
[00:31:30] Speaker A: Know that is signed by my key.
[00:31:33] Speaker B: You know that that is my recommendation. Even no matter where it is that you arrived at that you do not.
[00:31:39] Speaker A: Have to trust the location you are.
[00:31:41] Speaker B: At that you are actually speaking or getting a message from me. Think about that.
[00:31:47] Speaker A: If you go and search for Guy.
[00:31:50] Speaker B: Swan or, or let's, let's look for Tom woods or Dave Smith, somebody has a really big following and has just.
[00:32:00] Speaker A: Tons and tons of impersonators.
[00:32:02] Speaker B: If you follow them on Twitter or.
[00:32:06] Speaker A: Instagram or something, and then you go.
[00:32:08] Speaker B: To Facebook and you type them in.
[00:32:11] Speaker A: You have no idea if the account that you find is actually them.
[00:32:16] Speaker B: Like, I've, I've literally followed, quote, unquote, like looked for people and like found.
[00:32:20] Speaker A: People on Instagram or other social profiles.
[00:32:24] Speaker B: Or other social media and then it's like, not the right person or people.
[00:32:28] Speaker A: Will send me a message.
[00:32:29] Speaker B: Be like, I've been talking to someone who has an account because, like my Instagram has, I don't know, 3,000 followers or something. So like, there's no clear indication as to which account is actually me. There's nothing that says, no, yeah, this is definitely the Guy Swan account. There's probably.
[00:32:47] Speaker A: There could literally be accounts that were.
[00:32:49] Speaker B: Impersonating me that just have like 5,000 fake followers in a matter of an hour. Like there could just be one at the end of today. But the idea that your client that your list of keys can go and.
[00:33:03] Speaker A: Simply by default is verifying my message.
[00:33:08] Speaker B: The link that I have sent, and that, you know, that this is a conversation and a note from me. And importantly, like really, really importantly, is.
[00:33:18] Speaker A: That it does this invisibly.
It just does this by the nature of it.
[00:33:25] Speaker B: This solves so many critical problems about finding, about verifying, about knowing who and.
[00:33:37] Speaker A: What you are interacting with. And this is such a huge use case.
[00:33:42] Speaker B: Like, this is just massive because, you know, I do this already looking for articles. You know, I'm basically following everybody's individual medium, page as a social environment, as a social web of all of their content or content that they reshare. And this is where I think Discoverability, just open Discoverability and the.
[00:34:09] Speaker A: And finding applications that other people trust, that people that you trust trust or that they use.
[00:34:15] Speaker B: Like, I could recommend Obsidian, the Obsidian app. And I talk about the fact that I use it pretty extensively for notes. I talk about Keat and stuff. But when you, when I recommend that or something, you don't know if it's exactly the same Keat or the exact, exactly the same Obsidian when you go looking for it.
[00:34:36] Speaker A: And if I leave a review somewhere, you have no idea that that's my review. Now imagine you go to the application to look at reviews, and if you are in, if I am in your social graph or vice versa, you literally see my review because it is weighted higher. This was a whole thing about Satslantis.
[00:34:57] Speaker B: And Alex Fetsky and all of that stuff and recognize that the problem that that is solving is the exact same problem of knowing who you're getting the data from and knowing who created the data and how and where to filter that data in the list of things, in the discoverability of what you are finding and the relationship of the values.
[00:35:20] Speaker A: Of your social graph to the things.
[00:35:22] Speaker B: And the products and the services and the applications that you were looking for. So, like a good example is, you know, there's. You go to an app that is really popular, WhatsApp or Facebook messenger or something, and it's got five out of five stars all over the place because tons of people use it all the time. But then you go to the Noster version of this and suddenly there's a.
[00:35:46] Speaker A: Whole bunch of two and three stars.
[00:35:48] Speaker B: And the score is like way, way lower.
[00:35:51] Speaker A: Why? Because everybody in your social graph, if.
[00:35:53] Speaker B: You'Re on Nostr with, you know, anybody today cares about privacy.
[00:35:58] Speaker A: They. They care and they rate it for.
[00:36:00] Speaker B: Different reasons and they're going to show in their reviews, this is all of the crap that this app was tracking.
[00:36:08] Speaker A: This app was literally in Facebook Messenger.
[00:36:10] Speaker B: If you don't know this, it will literally ping like they, they are building a map of all of the devices.
[00:36:16] Speaker A: That you are ever near, the WI.
[00:36:18] Speaker B: Fi networks that you are on. It literally reads the pings that your WI Fi does to get a map of all the devices around you and.
[00:36:26] Speaker A: Keep a record of it.
[00:36:27] Speaker B: It is the most insane piece of malware. That thing is a literal spy application. Now imagine that your Zap Store, your.
[00:36:39] Speaker A: App store specifically is showing you reviews about the privacy implications, about the fact.
[00:36:46] Speaker B: That you have no control over this because that is what you care about.
[00:36:52] Speaker A: And you demonstrate this with your social graph.
[00:36:56] Speaker B: He specifically mentions the Sparrow Wallet problem and the Bitcoin wallet issues because there are so many scam Bitcoin wallets out there. Now imagine that you can literally know and download exactly the version of Sparrow that I am running. Or if you follow the Sparrow dev, you just know exactly the one that they have signed because it is literally in your nostr client.
[00:37:23] Speaker A: It just shows you that this is theirs.
[00:37:26] Speaker B: And by default your local client is.
[00:37:29] Speaker A: Just reading that signature and just knows.
[00:37:32] Speaker B: That that is the correct key. And there's something else this article points out that I think is really important to understand or important to call attention to, is that we are living through the age, through the explosion of AI and the old model is not going to work anymore. The old model will literally not work anymore.
[00:37:55] Speaker A: There are going to be billions of.
[00:37:58] Speaker B: Apps, as, as said in this article, a Cambrian explosion of new apps and development. And I just think the centralized platforms.
[00:38:07] Speaker A: Are going to buckle under the weight of it all.
[00:38:10] Speaker B: It will be. They will essentially go through the insidification of their platforms because of the level of control and restriction and filtering that.
[00:38:20] Speaker A: They will have to take over.
[00:38:22] Speaker B: All of the problems that they currently have will get worse and worse and worse, and they will get less and less safe at the exact same time.
[00:38:32] Speaker A: That all of the hindrances, all of.
[00:38:34] Speaker B: The restrictions and all of the barriers and frictions specifically to the user will continue to increase. And going back to the fact that Keybase, I think, was a really kind of ingenious beginning or attempt to solve this problem. One of the big issues with Keybase was that, which is interesting, because I did not even know about this. I remember Keybase kind of being a.
[00:39:00] Speaker A: Thing for a little while.
[00:39:01] Speaker B: I got on it. I still have a keybase and there were a couple of people that I messaged and had conversations through it. But I always thought of it as some entity. And I didn't know, you know, it was never to me, like some sort of open protocol or anything. And then the fact that they were apparently acquired by Zoom and then development has completely stalled, it's just kind of been stagnant. Nostr. That can't happen to Nostr because nobody can buy Nostr. There's no specific company to even target or go after. Well, because one group and one app failed to continue any development and one company, essentially, you think about that like.
[00:39:46] Speaker A: Zoom essentially bought them and then the.
[00:39:48] Speaker B: Project died because they did not keep up with or put in the proper investment into continuing the platform. And the only way to ensure that that doesn't happen is an open, decentralized network of people building on stuff. And the only way to have a feasible way to create open decentralized marketplace and decentralized app stores and decentralized hosting and all of these things is if.
[00:40:15] Speaker A: You have a web of trust to navigate it.
[00:40:19] Speaker B: And I know I'm kind of beating the same drum over and over here, and I've talked about this a lot on the show, but I just. This is such a big thing and I don't think it's appreciated as much as it ought to be. And it will still. There's still groundwork to be laid in order to make this succeed or become truly the web of trust and provide the value that it can. But here's the thing is that it is growing and it is, it is being adopted because of an authentic social experience and zaps.
[00:40:55] Speaker A: The whole web of trust stuff is literally part two of this.
[00:41:00] Speaker B: It's the second chapter. But the foundation that is making this thing grow is specifically about how it fixes massive problems in the social sphere. Also, just total random note, if you.
[00:41:15] Speaker A: Are on Mac, you should use Little Snitch.
[00:41:16] Speaker B: I freaking love Little Snitch. And I did not even realize I.
[00:41:20] Speaker A: Don'T use Open Snitch on my Linux.
[00:41:22] Speaker B: And I definitely. That's stupid. I don't know why I have not. I don't. I don't even know why that wasn't on my radar. So just a shout out to this article for reminding me of that. But basically everything in this article is why Nostr, Why Pear Drive, why pubkey, why satslantis, why all of these tools I think are beginning to solve pieces of the puzzle. Because like, one of the things that Nostr doesn't solve on its own or that has basically just been kind of hacked together with the relay system is decentralized hosting effectively now in a sense it is, but it is still kind of pseudo centralized. Like still lose your data if you are not connected to enough relays or relays aren't saving that data. And relays are unlikely to store an incredibly long history. So you have to kind of actively manage it. Whereas I think when you start adding in quote unquote nodes in a of people who want to save their entire.
[00:42:32] Speaker A: History and I think there are enough people out there essentially pro users of.
[00:42:36] Speaker B: Nostr to essentially bootstrap a, a sort of bittorrent like peer to peer network. And no, I don't mean that the whole thing becomes peer to peer. I mean it in the sense that hosting and servers can be accessed without domain names, without traditional Internet servers. Because I think what a lot of people hear when they think peer to peer, that they think, I mean, or that someone is referring to something specifically that's just like a volunteer network and everybody's hosting all this stuff.
[00:43:10] Speaker A: And that is not what I mean.
[00:43:11] Speaker B: And that's not what I think the value is necessarily specifically in having a peer to peer protocol where you can select multiple hosts and which one anyone connects to is irrelevant. Or you can connect to all and.
[00:43:28] Speaker A: Download from all, or access it from.
[00:43:30] Speaker B: All at the exact same time and.
[00:43:33] Speaker A: Know that it is the exact same.
[00:43:35] Speaker B: Information on and the exact same video or whatever it is on each one of those servers. I think people automatically assume that it's going to have all the fallbacks and all the oddities of BitTorrent when really what it is, what's needed, and this is exactly one of those things that Zap Store specifically mentions in this article too is that there's a lot of problems with not being able to sell content or not being able to sell.
[00:44:00] Speaker A: An application on a specifically open platform.
[00:44:04] Speaker B: But Bitcoin fixes this, zaps fix this.
[00:44:08] Speaker A: And this is the exact same problem.
[00:44:10] Speaker B: That BitTorrent had is because it could only exist as an open, free, voluntary network.
[00:44:16] Speaker A: So it came with all of the.
[00:44:18] Speaker B: Drawbacks and all of the limitations and.
[00:44:20] Speaker A: Frictions of just being open and volunteer.
[00:44:23] Speaker B: It was very unreliable because you couldn't just have.
[00:44:26] Speaker A: If you, if your device, if you have something on your phone and somebody.
[00:44:29] Speaker B: Else is trying to access it, nobody's gonna be able to get it. You're not gonna have your phone out enough for it to be reliable.
[00:44:35] Speaker A: Especially if only a couple of people.
[00:44:37] Speaker B: Are actually wanting to watch or view that information. You only have 30 people who are.
[00:44:43] Speaker A: Following you or watching your video.
[00:44:46] Speaker B: Anything that's even slightly obscure is not Going to have any sort of robust or reliable connection or persistence of the file or the video or the store, whatever it is. But what if anybody you knew who had a bitcoin node and who was in your social graph, you could have them. You could literally just connect to them and have them host it for you. Or you could just pay someone $3 a month to have a storefront to have it hosted. And if you ever wanted to move hosts didn't matter, you could, you could just $3 a month or a dollar a month to somebody else who offered.
[00:45:22] Speaker A: Up the same amount of space and bandwidth.
[00:45:24] Speaker B: You can buy both of them at.
[00:45:25] Speaker A: The exact same time.
[00:45:27] Speaker B: Doesn't change your URL, doesn't change how people access it.
[00:45:30] Speaker A: Doesn't matter. They have the key.
[00:45:32] Speaker B: You now have two seeds, you now.
[00:45:35] Speaker A: Have two servers feeding your information.
[00:45:38] Speaker B: And importantly, when people download it in order to watch or use it, they might not be like an indexer in this network, but they do also mirror it. So it also can't really be ddosed because if there are thousands of people watching it or saving it, well, then there are thousands of people potentially, or maybe tens or hundreds of people online for other people to download from and.
[00:46:02] Speaker A: Access the information off of.
[00:46:04] Speaker B: And again, just like Nostr, the key itself is what identifies that. You are looking at the exact same.
[00:46:11] Speaker A: Content with the exact same integrity and.
[00:46:14] Speaker B: You know who it's from. And it does not matter which node or which person or which quote unquote website or relay you connected to in.
[00:46:22] Speaker A: Order to get it. It is identified entirely by its signature.
[00:46:26] Speaker B: And I am just crazy bullish on all of this tech. Like just crazy crazy bullish. And literally without bitcoin and lightning, none of these models would be possible. That's the really interesting thing, is that.
[00:46:39] Speaker A: Monetization had to be solved at the exact same time or you end up.
[00:46:44] Speaker B: With something semi basically similar to F droid or IPFS or BitTorrent. You have something that could potentially build a niche corner of the Internet that could attract certain people or certain types of content. And specifically like BitTorrent being a great example of, it essentially ended up being a total focus on the content that could not be achieved or could not be obtained in some other way or in the specific context and degree of control that one had in BitTorrent. Like a great example is I would actually download movies that I had already purchased off of BitTorrent because the purchase.
[00:47:28] Speaker A: Version was so restricted that I could only watch it or use it in certain places.
[00:47:32] Speaker B: It wasn't until basically smart TV things became so ubiquitous that you just logged in and you could view it everywhere. But you now people don't even buy the content anymore.
[00:47:42] Speaker A: I used to literally buy it on.
[00:47:43] Speaker B: Itunes or I would buy it by dvd and it was a huge pain.
[00:47:47] Speaker A: In the butt to rip it off the DVD.
[00:47:49] Speaker B: So what do I do?
[00:47:50] Speaker A: Yeah, just go on BitTorrent and download it. I didn't even steal the media.
[00:47:53] Speaker B: I, I quote unquote stole the form factor that I, that I had the media in. Because it was how I was already, I was already living in the future and I was already consuming everything through digital content, even though none of the platforms or marketplaces or applications were there. And I think this capitulation of the market to basically open up entire catalogs and do subscription services is why BitTorrent had its heyday and went down. Because you could never actually make BitTorrent sustainable. It wasn't a marketplace where you could deliver services directly. You didn't have DVMs like on Nostr.
[00:48:28] Speaker A: You didn't have monetization.
[00:48:30] Speaker B: And because of that you could never really get legitimacy in the content marketplace. But there was nothing wrong with the peer to peer protocol. In fact, proof that it worked so unbelievably well is the fact that it.
[00:48:43] Speaker A: Succeeded and became so, so unbelievably massive. Even though the entire thing was free.
[00:48:50] Speaker B: It was an entirely voluntary network run by the participants.
[00:48:55] Speaker A: Imagine what happens when you can combine.
[00:48:58] Speaker B: The complete lack of friction in joining and hosting and participating in that marketplace and in that network with monetization, with.
[00:49:07] Speaker A: Social IDs, with web of trust, with.
[00:49:12] Speaker B: Verification of all of the content, messages and data that is being transmitted.
There's a huge opportunity for the people who figure out how to build this.
[00:49:23] Speaker A: And build the experience. Right.
[00:49:26] Speaker B: So anyway, I'm going to be checking out Zap Store. It looks like it's a CLI on Mac, which unfortunately from a UX standpoint, I mean like I have plenty of CLI tools, but just from a simple UX standpoint, like I have little need of an app store that I have to read or list out in a terminal window. And maybe I'm misunderstanding, I don't see there's not really any pictures as to what it looks like on Mac, but if you just look at the website, it looks like they're targeting the APK for Android. So this is really a focus on Android which might make me break out.
[00:49:58] Speaker A: My Android phone, which I haven't messed.
[00:50:00] Speaker B: With in a while, and just go exploring. But this is absolutely something to keep an eye on. And this goes right back to the idea that like you know, I can change my clients. The fact that I could change my app store and still have this, this trust waiting for apps that other people use and talk about, you know, this is like one of those things.
[00:50:22] Speaker A: Like all of this information has been.
[00:50:23] Speaker B: Incredibly valuable for corporations, you know, Google and Apple. Think about how insanely valuable it is to know every single app that I run and how much I use each of those apps, how often. Because every sing, every single time I boot up the app, it actually makes a call to the Apple servers or whatever to authenticate. So they literally know when I boot up and am using my applications. That's an insanely valuable piece of spyware. Really. And even if obviously they mean it as a, I mean whether or not they do as a security measure to make sure that we're authenticating that I am running the app that you know, it's protecting me from malicious software on my computer.
[00:51:09] Speaker A: Just think about even if that was.
[00:51:11] Speaker B: The only intent for why that is just having that, having that information of.
[00:51:16] Speaker A: And selling it to the company, selling it to the application developers.
[00:51:20] Speaker B: This is when and how people open up your app and how long they use it. This information has been locked away from us. It has not been put in a position, put in a place where we can utilize it, but it is actually.
[00:51:33] Speaker A: Very useful to us.
[00:51:35] Speaker B: And now imagine rather than sharing it with Apple, I'm just sharing what of that I want to, with my friends.
[00:51:44] Speaker A: With the people in my social graph.
[00:51:46] Speaker B: With my best friend, with my brother, with, with you guys, with anybody who.
[00:51:52] Speaker A: Follows or listens to me.
[00:51:53] Speaker B: Well, what apps is Guy using?
What is he reviewing lately? The idea of verifiable messages, signed messages.
[00:52:05] Speaker A: And a key, a social key structure.
[00:52:09] Speaker B: Is valuable to literally everything that we do and valuable in a way that it can. The fact that it is decentralized and you have decentralized money means that so many of the things that are valuable in these huge centralized platforms can now be done in a non platform in a decentralized way, sustainably and can actually be monetized.
[00:52:32] Speaker A: Of course we just have to build it.
[00:52:35] Speaker B: So anyway, that was a long, that.
[00:52:38] Speaker A: Was a long ranty one.
[00:52:40] Speaker B: This sort of stuff just gets me though because I think they laid out.
[00:52:44] Speaker A: What those problems are really, really well.
[00:52:46] Speaker B: And I just think, you know, what we've seen centralized companies do is try.
[00:52:52] Speaker A: To give you a curated version of the Internet.
[00:52:54] Speaker B: So your Internet looks like it's tailored to you, mine is tailored to me, etcetera but we have not had control over these things, and we haven't had no feasible way to curate our own Internet based off our own values and our own weighting. Because the information that they use to.
[00:53:12] Speaker A: Accomplish this is not information that has been under our control.
[00:53:18] Speaker B: We would literally have had to get.
[00:53:20] Speaker A: API access to their servers in order.
[00:53:23] Speaker B: To even utilize this for ourselves.
[00:53:27] Speaker A: This is the beginning of us being.
[00:53:29] Speaker B: Able to do that, having that control back, being able to choose who curates our experience for us, being able to choose what algorithm we curate our Internet.
[00:53:41] Speaker A: For ourselves through our social graph.
[00:53:44] Speaker B: Now, the amount of bootstrapping that is.
[00:53:46] Speaker A: Needed for all of this to truly.
[00:53:47] Speaker B: Be available through Web of Trust is massive. But the thing is, is it can.
[00:53:52] Speaker A: Be bootstrapped at a tiny amount.
[00:53:53] Speaker B: Like just one recommendation for an app.
[00:53:55] Speaker A: From a friend in your social graph.
[00:53:57] Speaker B: Is valuable in and of itself for that one particular situation. You don't have to have a web of trust with every app in forever. You can use indexers and, you know.
[00:54:09] Speaker A: Trusted third parties to fill the gap.
[00:54:12] Speaker B: And that one recommendation from the person.
[00:54:14] Speaker A: In your social graph is still as.
[00:54:15] Speaker B: Equally val valuable as it would be because of where it originated from. And that's why I think this is possible. That's why I think we can continue.
[00:54:24] Speaker A: To bootstrap this and it will just grow slowly over time until it takes.
[00:54:28] Speaker B: Over the freaking Internet. But that's just my two sats. Don't forget to check out BitKit and the Jade plus hardware wallet and I will catch you on the next one. Until then, everybody take it easy, guys.
[00:54:55] Speaker A: See, the world is full of things.
[00:54:58] Speaker B: More powerful than us.
[00:55:00] Speaker A: But if you know how to catch a ride, you can go places.
Neal Stephenson Snow Crash.
