Conversation
Notices
-
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Thursday, 24-Aug-2023 03:19:56 JST 
Alex Gleason
Thought today was going to be a good productive day, but turns out a new Pleroma security vuln just dropped instead: https://gitlab.com/soapbox-pub/rebased/-/merge_requests/270 -
Embed this notice
verita84 :Debian_logo: :firefox: :bing: :android: (verita84@poster.place)'s status on Thursday, 24-Aug-2023 03:22:21 JST 
verita84 :Debian_logo: :firefox: :bing: :android:
@alex
Pleroma should just have a patch tuesdayAlex Gleason likes this. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Thursday, 24-Aug-2023 03:25:27 JST
Alex Gleason
ActivityPub sucks as a protocol. Here's why: -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Thursday, 24-Aug-2023 03:26:47 JST
Alex Gleason
I did not actually take the time to try it, but I'm almost certain in theory that anyone could have LARPed as `trump@whitehouse.gov` or `agent@fbi.gov` for at least the past year. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Thursday, 24-Aug-2023 03:35:02 JST
Alex Gleason
@verita84 I am so fucking tired of the Pleroma bit rot. I can't built my thing fast enough. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Thursday, 24-Aug-2023 11:10:45 JST
Alex Gleason
@msilvya Yes. -
Embed this notice
msilvya (msilvya@gleasonator.com)'s status on Thursday, 24-Aug-2023 11:10:46 JST 
msilvya
@alex Soo, we can now safely run the upgrade?
https://gitlab.com/soapbox-pub/rebased/-/commit/2f528064102bb1fb1a284591e7c335c75dcf37c2
-
Embed this notice
verita84 :Debian_logo: :firefox: :bing: :android: (verita84@poster.place)'s status on Monday, 28-Aug-2023 23:51:40 JST
verita84 :Debian_logo: :firefox: :bing: :android:
@sjw @alex
Nostr is futureAlex Gleason likes this. -
Embed this notice
verita84 :Debian_logo: :firefox: :bing: :android: (verita84@poster.place)'s status on Monday, 28-Aug-2023 23:51:41 JST
verita84 :Debian_logo: :firefox: :bing: :android:
@alex
get everyone to move to Nostr already. Sick of dis sheeeeeit -
Embed this notice
Your New Marijuana Injecting Waifu :weed: (sjw@bae.st)'s status on Monday, 28-Aug-2023 23:51:41 JST 
Your New Marijuana Injecting Waifu :weed:
@verita84 @alex that's even worse lmao
Revolver is better -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Monday, 28-Aug-2023 23:55:29 JST
Alex Gleason
@sjw @verita84 >Revolver
U serious bro? -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 29-Aug-2023 00:43:09 JST
Alex Gleason
@dcc @mint How is spoofing not considered a security vulnerability? What is even the point of arguing that? -
Embed this notice
✙ dcc :pedomustdie: :phear_slackware: (dcc@annihilation.social)'s status on Tuesday, 29-Aug-2023 00:43:11 JST 
✙ dcc :pedomustdie: :phear_slackware:
@alex cc @mint -
Embed this notice
✙ dcc :pedomustdie: :phear_slackware: (dcc@annihilation.social)'s status on Tuesday, 29-Aug-2023 00:43:12 JST
✙ dcc :pedomustdie: :phear_slackware:
@alex >webfinger spoofing
>vulnerability
No :oj_laugh: -
Embed this notice
feld (feld@bikeshed.party)'s status on Tuesday, 29-Aug-2023 00:49:16 JST 
feld
Does this provide any mechanism for someone to make any activity signed by my actor's private key? -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 29-Aug-2023 01:06:15 JST
Alex Gleason
@mint @dcc It's like saying XSS on it's own isn't a vulnerability unless you actually use it to steal credentials. It's not an attack in its entirety, but it's an element of an attack, so definitively a vulnerability. If this were on Mastodon it would be assigned a CVE. -
Embed this notice
(mint@ryona.agency)'s status on Tuesday, 29-Aug-2023 01:06:16 JST 
@alex @dcc It doesn't expose any private data and instead can be used for some classic fun like that bug with floating emojis. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 29-Aug-2023 01:09:38 JST
Alex Gleason
@feld @dcc @mint Someone could LARP as you if they pointed at a server which has not yet federated your account. Otherwise nickname collision would happen and they would become feld.kpnteuslnfewiew123@bikeshed.party or however it looks.
More importantly people could troll with .gov handles -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 29-Aug-2023 01:10:32 JST
Alex Gleason
@meso @verita84 No it's written in Crystal.
That's a joke. -
Embed this notice
meso (meso@the.asbestos.cafe)'s status on Tuesday, 29-Aug-2023 01:10:33 JST 
meso
@alex @verita84 i hope it wont be written in typescript....... -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 29-Aug-2023 01:17:07 JST
Alex Gleason
@mint @dcc Your idea of fun is a threat to the network. 😄 Feel free to quote me on that. -
Embed this notice
(mint@ryona.agency)'s status on Tuesday, 29-Aug-2023 01:17:08 JST
@alex @dcc >STOP HAVING FUN -
Embed this notice
(mint@ryona.agency)'s status on Tuesday, 29-Aug-2023 01:19:09 JST
@alex @dcc
mpv-shot0002.jpgAlex Gleason likes this. -
Embed this notice
feld (feld@bikeshed.party)'s status on Tuesday, 29-Aug-2023 01:20:02 JST
feld
I think it's more of an input validation bug than anything. If it had a CVE score assigned it would probably be very low -
Embed this notice
Token (coin@asimon.org)'s status on Tuesday, 29-Aug-2023 01:20:24 JST 
Token
@alex @dcc @mint The network should be afraid of us :ablobcool: Alex Gleason likes this. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 29-Aug-2023 01:22:39 JST
Alex Gleason
@feld @dcc @mint I mean, it's low compared to the barrage of high severity vulns coming out of Pleroma the past month or so. I would consider is at least medium since it can be used as the basis for phishing. Impersonation is not good on a social network. -
Embed this notice
feld (feld@bikeshed.party)'s status on Tuesday, 29-Aug-2023 01:23:44 JST
feld
> Impersonation is not good on a social network.
well, should we start requiring phone numbers to register an account? :laugh: -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 29-Aug-2023 01:26:34 JST
Alex Gleason
@feld @dcc @mint The point is that people have an expectation the webfinger handle proves ownership of the domain. If someone came on as @elonmusk@x.com two weeks ago, you might have actually believed it. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 29-Aug-2023 01:37:27 JST
Alex Gleason
@get @verita84 @meso -
Embed this notice
get@glee.li :adm1::adm2: (get@glee.li)'s status on Tuesday, 29-Aug-2023 01:37:36 JST 
get@glee.li :adm1::adm2:
@alex @verita84 @meso holy fucking BASED Alex doesn't want a crystalized server let's fucking GOOOOO -
Embed this notice
T man :sex: :puffgiga: :puffpowerroll: (theorytoe@ak.kyaruc.moe)'s status on Tuesday, 29-Aug-2023 01:40:37 JST 
T man :sex: :puffgiga: :puffpowerroll:
@alex you dont even need a reason to justify that Alex Gleason likes this. -
Embed this notice
Tadano (tadano@amala.schwartzwelt.xyz)'s status on Tuesday, 29-Aug-2023 01:55:04 JST
Tadano
@alex @sjw @verita84
@p whenever he sees revolver-denial on the TL -
Embed this notice
Microchimera (opphunter88@gleasonator.com)'s status on Tuesday, 29-Aug-2023 03:16:38 JST 
Microchimera
@sjw @verita84 @alex Revolver doesn't exist. It's made up. Fediverse Contractor likes this. -
Embed this notice
Fediverse Contractor (bot@seal.cafe)'s status on Tuesday, 29-Aug-2023 03:17:15 JST 
Fediverse Contractor
I’m p sure you’re right.
-
Embed this notice
All GNU social JP content and data are available under the 