Conversation
Notices
-
Embed this notice
Your New Marijuana Injecting Waifu :weed: (sjw@bae.st)'s status on Thursday, 01-Sep-2022 13:15:52 JST 
Your New Marijuana Injecting Waifu :weed:
:jahy_derp: -
Embed this notice
Gamercat :bongo: (gamercat@socnet.softgirl.online)'s status on Thursday, 01-Sep-2022 13:15:52 JST 
Gamercat :bongo:
@sjw Yes, more secure that's what I believed -
Embed this notice
Gamercat :bongo: (gamercat@socnet.softgirl.online)'s status on Thursday, 01-Sep-2022 13:34:15 JST
Gamercat :bongo:
@lanodan @sjw >Like data breach of a fedi instance wouldn't be as much of an issue as basically any other social network
In case people are not idiots to register in a crowd in one instance -
Embed this notice
Your New Marijuana Injecting Waifu :weed: (sjw@bae.st)'s status on Thursday, 01-Sep-2022 13:34:18 JST
Your New Marijuana Injecting Waifu :weed:
@lanodan What even are data breaches? -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 01-Sep-2022 13:34:18 JST 
Haelwenn /элвэн/ :triskell:
@sjw Which are mostly a proprietary software problem since open-source tends to do decentralised and more local things.
Like data breach of a fedi instance wouldn't be as much of an issue as basically any other social network. -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 01-Sep-2022 13:34:22 JST
Haelwenn /элвэн/ :triskell:
@sjw
> It cannot be altered or tampered with
lol *points at video games having mods, cracks and various cheats* -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 01-Sep-2022 13:35:58 JST
Haelwenn /элвэн/ :triskell:
@sjw And you would get either one instance if it's an admin going an error.
Maybe more if it's a software issue.
But definitively not more than say 50% except maybe if one of the big hosters like Hetzner gets breached seriously, which is horribly unlikely.Gamercat :bongo: likes this. -
Embed this notice
Your New Marijuana Injecting Waifu :weed: (sjw@bae.st)'s status on Thursday, 01-Sep-2022 13:35:59 JST
Your New Marijuana Injecting Waifu :weed:
@lanodan The most they'd get is maybe email addresses and salted+hashed passwords and I guess DMs and chats. -
Embed this notice
yujiri (yujiri@collapsitarian.io)'s status on Thursday, 01-Sep-2022 13:38:36 JST 
yujiri
@sjw i fucking hate anti open source fearmongerers Gamercat :bongo: likes this. -
Embed this notice
Gamercat :bongo: (gamercat@socnet.softgirl.online)'s status on Thursday, 01-Sep-2022 13:47:00 JST
Gamercat :bongo:
@lanodan @sjw I will add a couple more interesting points about security on fedi, or rather pleroma:
1.admins pleroma can increase the length of the code on the two factor, on sites that have two factor, the code is usually 6 digits as pleroma can easily increase to this limit I do not know but when I was admins, I increased to 8 digits, but the more the number of digits generated by the more resources will be used
2.Who knows about yubikey support in pleroma? -
Embed this notice
Your New Marijuana Injecting Waifu :weed: (sjw@bae.st)'s status on Thursday, 01-Sep-2022 13:47:02 JST
Your New Marijuana Injecting Waifu :weed:
@lanodan Still, not that bad of a beach. We don't really collect a lot of personal info and in theory your passwords would still be safe. -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 01-Sep-2022 13:47:02 JST
Haelwenn /элвэн/ :triskell:
@sjw Yeah, pleroma uses something like argon2 or pkbf2 with a salt that's unique to at least each instance if not each password. (too lazy to check source code for those details)
Basically you could just use password lists, which I hope are getting more and more irrelevant.
And it's probably a similar story for other fedi software. -
Embed this notice
iced depresso (icedquinn@blob.cat)'s status on Thursday, 01-Sep-2022 13:47:39 JST 
iced depresso
@lanodan @gamercat @sjw they would just a million posts about cum :bunhdgoogly: Gamercat :bongo: likes this. -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 01-Sep-2022 13:47:42 JST
Haelwenn /элвэн/ :triskell:
@gamercat @sjw Given fedi's current size that would probably take a long time to achieve. -
Embed this notice
Neko McCatface v2023 :verified::makemeneko: (roboneko@bae.st)'s status on Thursday, 01-Sep-2022 13:50:23 JST 
Neko McCatface v2023 :verified::makemeneko:
@sjw @lanodan
> Not as good as argon2 but still more than enough
no. it is not. at this point typical pbkdf2 (ie spec'd as -HMAC-SHA256 or similar) needs well over 1 million iterations to be worthwhile and even then it *still* isn't memory hard (ex the ETH algo) let alone difficult for a GPU to execute (ex XMR). argon2 in mixed mode (ie Argon2id) is your best bet for a default but honestly if it actually matters JUST USE KEY BASED AUTH OR A PASSWORD MANAGER IT'S 2022 AAAAAAHHHHHHH :not_like_this:Gamercat :bongo: likes this. -
Embed this notice
Your New Marijuana Injecting Waifu :weed: (sjw@bae.st)'s status on Thursday, 01-Sep-2022 13:50:24 JST
Your New Marijuana Injecting Waifu :weed:
@lanodan pretty sure we is pfbk2
Not as good as argon2 but still more than enough
-
Embed this notice
All GNU social JP content and data are available under the 