Andrei O.

@andrei0x309

760 Following

2215 Followers

Scout Game pfp

Developer Spotlight: @andrei0x309 is a privacy-first full stack dev shipping browser privacy extensions, Farcaster scripts, and open source guides on flashsoft.eu. Watch what he works on next on Scout Game. https://scoutgame.xyz/u/andrei0x309

0 reply

2 recasts

4 reactions

christopher pfp

Good morning! It’s my birthday today 🥳

44 replies

2 recasts

89 reactions

Andrei O. pfp

I literally saw a follow -4- f message from a badge holder like 3 min ago, I have no idea how many automated badge users there are but likely some automated accounts exist, to what extent this is true is hard to estimate without proper research. I don't think is super relevant because generally, these kinds of things unfold pretty quickly, in 3 months you'll know everything.

1 reply

0 recast

1 reaction

Andrei O. pfp

@harris- Pinata does not have a working GRCP anymore, the snapchain lib uses a public node that I found in one of snapchain group chats. It also works with neynar key (which will use the neynar nodes) or your own node. In the docs, the example is with Pinata, but that doesn't work anymore. ATM if you don't provide a node it will use hub.merv.fun:3383, which seems it still works check the image. https://andrei0x309.gitbook.io/farcaster-snapchain-utils

1 reply

0 recast

1 reaction

Haole pfp

yeah, to get rid of the spammy, most of time, I am using my own client🤣

0 reply

1 recast

1 reaction

Andrei O. pfp

If that's so, I don't know how this move will help the network. Other than raising 1M for the team, which is not much considering they raised 180M through VCs, this farcaster pro thing can create serious issues long-term. I guess we will be here for the ride, for me is impossible to predict an outcome now but I wouldn't have taken this risk.

1 reply

0 recast

1 reaction

Andrei O. pfp

An alternative client is probably the best option. IMO, since this pro is linked to the app no client is incentivized to show the badge even if it has the badge data, here is where the farcaster name starts to be a bit deceiving all of these rewards, and the pro feature is not directly linked to the protocol, so yeah IMO creates confusion of what exactly is linked to the underlying protocol. That being said, at farcaxter[.]xyz app level I doubt they will add an option to hide it, at least not so soon, especially if demand is low.

1 reply

0 recast

1 reaction

Andrei O. pfp

It might be a play to gain farcaster[.]xyz rewards system, the user got on top pretty quickly. I do think that ultimately many decisions will push the platform towards more engagement farming, farcaster pro is just another push towards making app rewards long-term. I did previously enumerated the cons of rewards ( https://farcaster.xyz/andrei0x309/0x587b97cc )

1 reply

0 recast

5 reactions

Andrei O. pfp

Did a minor update to farcaster-snapchain-utils, v1.1.8 to also allow the use of insecure GRPC, also replaced the default public Snapchain with a working version of a public snapchain. https://warpcast.com/yuptester/0xe3b49155 https://www.npmjs.com/package/farcaster-snapchain-utils

0 reply

0 recast

6 reactions

Andrei O. pfp

Not that I'm tribalistic, but I thought FC would be forever tied mostly with EVM, FID is on EVM, are there plans to be able to modify contracts to build a bridge to move the FID on Solana? I find it pretty hard to understand FC goals: 1 Create a good decentralized social network? 2 Onboard non-crypto people to crypto? 3 Attract crypto people from multiple ecosystems/platforms? 4 Focus on mini-apps to extract to monetize from client-side? 5 Attract non-crypto people? 6 Empower user ownership and reduce favoritism and censorship? I don't know, it feels like this product walks 10 paths at the same time, it feels very chaotic, to be clear I personally thought that the idea of slowly and iteratively creating a quality decentralized social protocol with a long runway (10y was first said) was the true goal. I'm trying to put myself into normie shoes, like someone that would come from Bluesky, and I imagine I would be spooked by 400+ features that seem disconnected from what I would expect from social media.

0 reply

0 recast

0 reaction

Andrei O. pfp

People don't want to execute JS because it's costly, so 100/100, there are many services that will do the minimum. But there are JS executing crawlers outside of search engines, prerender is pretty popular, so you're 3 code lines away from being able to parse pages that do DOM changes with JS, but again the issue is always cost. I am sure that there are also a few preview crawlers outside of Slack that do JS-enabled crawl, in terms of cost probably 1 JS crawl costs more than 100 page downloads for sure. It is a bad idea for Slack OG or Farcaster but not so much for OGs+Metadata on Bing/Google/Yandex when you absolutely need to cut SSR costs.

0 reply

0 recast

1 reaction

Andrei O. pfp

You can set it with JS, if the crawler is JS enabled it will pick the data, most search engines pick metadata that's set on the client. But there are many that just download the page without having a JS engine enabled in that case metadata sent from the server is required. In a world where all crawlers would be JS enabled SSR for metadata would not be necessary.

1 reply

0 recast

2 reactions

Andrei O. pfp

Token creator is actually banned on UI https://warpcast.com/clickersxyz

0 reply

0 recast

0 reaction

Andrei O. pfp

Clearly an unkown unkown... In my opinion, it would have been better if @circle would not get acquired. Maybe I am exaggerating, but if USDC has any large-scale incident, I don't know if the whole space can recover afterward, so for me, it seems the users of USDC are powerless anyway.

0 reply

0 recast

3 reactions

Andrei O. pfp

100/100, but when I do speculation, I want to think of all possible scenarios and always give the benefit of the doubt. Because there were 3 possible scenarios I could see: 1 They have access to the phone data for everybody, not just a hash of the phone 2 They have access to only older verification data, and newer ones are not stored 3 They used client-side encryption guarded by data that is available only on the client side The last one(3) I invalidated, so to the best of my knowledge, only 1 and 2 are possible now.

0 reply

0 recast

0 reaction

Andrei O. pfp

It seems using the auth token is enough endpoint is v2/account-verifications . I did the verification some time ago maybe they changed it for newer verifications to not store it anymore, who knows that could be tested with a new phone verification if anybody has a new number and checks this endpoint with his token he can find that out. Anyway even if this is the case, that they have changed the policy for phone storage, older verifications should have been updated to not be possible to get the phone from API. Because it's super easy to migrate old verifications to the new standard such that the data is uniform.

0 reply

0 recast

0 reaction

Andrei O. pfp

Thanks, much appreciated. I have not tested if the auth token is enough, but I can look into it. My speculation of this being guarded by the seed is the scenario, I dealt with in the past as an option when dealing with apps that integrate a client-side wallet. That scenario provides better protection for users, as any code that needs your PK needs to be executed by the client, which is more cumbersome for the provider because if users don't update the app, the provider can't take that action, or if the users use an alternative client( in Farcaster case). An example of this is the upcoming authorizing the Warplet address as an Auth address, which can only be executed with the custody PK, and will be fulfilled automatically. If is not accomplished by pushing code to the client it means Warpcast has direct access to your PK which is bad IMO. I'll take a look to see if it can be retrieved by auth token only and come back to this.

0 reply

0 recast

1 reaction

Andrei O. pfp

There are ways to provide proofs: 1 you can automate deploys, and use a third-party provider that you don't control to provide the commit for the code. For example, if Cloudflare says that worker x is deployed from commit Y, it would require Cloudflare to be compromised. 2 Remote Attestation (Hardware-Assisted Proof) Using specialized hardware features, such as Trusted Platform Modules (TPMs) or secure enclaves (like Intel SGX, AMD SEV, ARM TrustZone), to cryptographically prove the integrity of the software stack running on a server. 3 Third-Party Certifications You basically pay a trusted service to regularly inspect and publish certificates of your running code. IMO, even just open-sourcing without direct proof of deployment code is still much more trustworthy than proprietary code.

0 reply

0 recast

5 reactions

Andrei O. pfp

It's not only on the device, I just logged in with a fresh emulator. Clearly, it's stored persistently. In the best-case scenario, it's encrypted with the user-provided seed as a password, and the seed is never stored at Merkl. But again, without the full source code of the backend + client, it's just: "trust me, bro", for all we know, even the seed could have been stored.

2 replies

2 recasts

19 reactions

Andrei O. pfp

Rewrote this Kotlin Android App that needs root to auto disconnect Data/WIFI. Looks like on newer Android systems, to make this reliable, you need a ton of permissions, including a special service permission. This special service permission allows the service to run in the background continuously, without user interaction with the app, and from SDK 33 onwards, you can also run it without displaying anything to the user. Since they tightened the Store so much, I am curious if they will allow this upgrade of the app. https://github.com/andrei0x309/auto-data-disconnect-kotlin

1 reply

1 recast

4 reactions