Conversation
Notices
-
Embed this notice
rats (rats@refusal.biz)'s status on Thursday, 29-Sep-2022 11:30:47 JST 
rats
not to suck @p 's dick about this but i legit think its good / noble that he does 'sketchy' things like ignore deletion requests + make blockbots flip out + make everyones dms public because i think ppl generally dont know how much activitypub sucks dick. afaict when he does this its p prominent + public knowledge + now everyone knows in the back of their mind that FSE doesnt honor delete requests so now you know thats a thing thats possible so its not a surprise if someone more malicious is doing that somewhere else
this might just be infosec brain damage for me cuz i just always enjoy a good proof of concept-
Embed this notice
rats (rats@refusal.biz)'s status on Thursday, 29-Sep-2022 11:30:22 JST
rats
@zero @spiral @KayFaraday @p @netdoll @MischievousTomato
> one small difference, his posts with "direct messages". everything else is exactly the same, he doesn't care about it being exploitable because he can't even fix his own code
i'll admit i haven't really dug into the code here but from my current understanding of the blockbots and what pete is doing, this doesn't sound exploitable in the same way because it's a single message sent to a single instance (or maybe it doesn't leave the instance if it's just for FSE users?)
but i'll say that i'd be interested in hearing if this is still exploitable! and a good way to make pete care would be to give him a taste of his own medicine and use it to fuck up FSE and give him a problem he needs to go fix immediately :)
> one small difference
this is my fav bug ive seen in a ctf: https://bugs.chromium.org/p/project-zero/issues/detail?id=1710
the v8 javascript engine's jit had a bug where a range of numbers didn't include a "-0" when it should've included one. who even knows what a -0 is? who cares?
not including a -0, it turns out, let people write javascript that could execute arbitrary assembly for anyone visiting the page: https://doar-e.github.io/blog/2019/01/28/introduction-to-turbofan/
small differences - if they are the exact right small difference - can matter a lot -
Embed this notice
rats (rats@refusal.biz)'s status on Thursday, 29-Sep-2022 11:30:23 JST
rats
@p @spiral @KayFaraday @netdoll @zero @MischievousTomato
yeah i really dont understand why people are so fucking worked up about this, and i don't think they understand either? i think people just want to pretend that security/integrity is not something they have to think about when running a server and are annoyed that they suddenly have to think about it (esp considering neet's response when i said this lol)
turn fedi into a pvp zone. every time you get taken offline is a chance to learn something new about system adminstration. "Losing is fun!" - Toady one -
Embed this notice
Zero :zt_think: :artix: (zero@strelizia.net)'s status on Thursday, 29-Sep-2022 11:30:23 JST 
Zero :zt_think: :artix:
@rats @spiral @KayFaraday @p @netdoll @MischievousTomato
Because he pretends it's about security except his own block notification bot does the same exact same thing, with one small difference, his posts with "direct messages". everything else is exactly the same, he doesn't care about it being exploitable because he can't even fix his own code, he's just a petty schizo and likes to pretend he isn't -
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Thursday, 29-Sep-2022 11:30:25 JST 
pistolero :thispersondoesnotexist:
@rats @zero @KayFaraday @MischievousTomato @netdoll @spiral zero's a bit optimistic; it wouldn't work with FSE's.
Also, you know, I tell Nichy to just
:mycomputer: with {:error, _} <- Cachex.stats(:blockbot), do: Cachex.start(:blockbot)
:mycomputer: {_, n} = Cachex.fetch(:blockbot, object["actor"], fn(i) -> {:commit, :os.system_time(:seconds)-1} end)
:mycomputer: t = :os.system_time(:seconds)
:mycomputer: if t > n do
:mycomputer: Cachex.set(:blockbot, object["actor"], t+5)
:mycomputer: do_the_blockbot_message()
:mycomputer: else
:mycomputer: Cachex.incr(:blockbot, object["actor"], 30*(1+(n-t)))
:mycomputer: # lol lmao
:mycomputer: end
...And he never does. This would completely stop the thing I do, race conditions aside (impact of hitting the race is minimal unless you do the Alex Gleason strategy of cranking up the number of default workers by a factor of 10). I think some of the rate-limiters use a tempfile, it's garbage. There are 80 ways to stop me doing what I am doing and nobody does any of them. verita84's is rate-limited by design because it only fires periodically. -
Embed this notice
Zero :zt_think: :artix: (zero@strelizia.net)'s status on Thursday, 29-Sep-2022 11:30:26 JST
Zero :zt_think: :artix:
@MischievousTomato @spiral @KayFaraday @p @netdoll @rats btw pete's block notifier is vulnerable and you could make it spam his or any of his users all day if you wanted :02_omegalul: -
Embed this notice
rats (rats@refusal.biz)'s status on Thursday, 29-Sep-2022 11:30:26 JST
rats
@zero @spiral @KayFaraday @p @netdoll @MischievousTomato the ppl angry in this thread should just fire back and get some good rivalries going then imho!! -
Embed this notice
Johnny Peligro (mischievoustomato@varishangout.net)'s status on Thursday, 29-Sep-2022 11:30:27 JST 
Johnny Peligro
@rats @spiral @KayFaraday @p @netdoll @zero nyeh heh heh heh -
Embed this notice
Johnny Peligro (mischievoustomato@varishangout.net)'s status on Thursday, 29-Sep-2022 11:30:28 JST
Johnny Peligro
@netdoll @spiral @KayFaraday @p @rats @zero im for them, reason: see the first word of my @ -
Embed this notice
rats (rats@refusal.biz)'s status on Thursday, 29-Sep-2022 11:30:28 JST
rats
@MischievousTomato @spiral @KayFaraday @p @netdoll @zero i am in favor of mischief -
Embed this notice
netdoll (netdoll@refusal.biz)'s status on Thursday, 29-Sep-2022 11:30:34 JST 
netdoll
@MischievousTomato @spiral @KayFaraday @p @rats @zero Probably. Mind, I'm 100% against blockbots of any sort, but the ones that do public callouts are a whole other kind of messed up. -
Embed this notice
netdoll (netdoll@refusal.biz)'s status on Thursday, 29-Sep-2022 11:30:36 JST
netdoll
@rats @KayFaraday @p @spiral and as a nice side effect, those kinds of public facing blockbots get risky enough to run that only the most cringe of instances opt for them, thus improving the fediverse overall -
Embed this notice
Johnny Peligro (mischievoustomato@varishangout.net)'s status on Thursday, 29-Sep-2022 11:30:36 JST
Johnny Peligro
@netdoll @spiral @KayFaraday @p @rats @zero made a safe one -
Embed this notice
rats (rats@refusal.biz)'s status on Thursday, 29-Sep-2022 11:30:37 JST
rats
@KayFaraday @p @spiral so my point here is like, i even care about security but i would not have made it a priority to look into this
pete used it to temporarily bring down someones instance, it made a big scene, because it made a big scene i have a fairly decent idea of how it works + what other things might have a similar issue + a lot of attention is brought to it in general and most ppl are aware of it now -
Embed this notice
rats (rats@refusal.biz)'s status on Thursday, 29-Sep-2022 11:30:38 JST
rats
@KayFaraday @spiral @p meaning like - a single simple action causes an instance to send out multiple messages. and then you can load in, for example, a blocklist via csv which will send out several messages for every row -
Embed this notice
Katherine Faraday, esnoam princess (kayfaraday@freak.university)'s status on Thursday, 29-Sep-2022 11:30:42 JST 
Katherine Faraday, esnoam princess
@spiral @p @rats :overthink: i still don't get how that amplifies anything? what is doing the amplification?
-
Embed this notice
rats (rats@refusal.biz)'s status on Thursday, 29-Sep-2022 11:30:45 JST
rats
@KayFaraday @p
basic idea is blockbots usable as activitypub signal amplifier
input -> you click the block button
-> server needs to push messages out (im not positive now that i type this out if federation mandates pushing for all messages, but if tagging is involved like it usually is, then that is at least 2x amplification, if relays are involved then it gets much much larger)
so if you are generating a larger signal it turns it into a spam cannon you could use to clog up the originating server or send a ton of garbage to a single server in particular if you are involving multiple spambots -
Embed this notice
spiral@anime.website's status on Thursday, 29-Sep-2022 11:30:45 JST 
spiral
@rats @KayFaraday @p ok using that as an amplification attack vector is actually really funny -
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Thursday, 29-Sep-2022 11:30:45 JST
pistolero :thispersondoesnotexist:
@mint @KayFaraday @MischievousTomato @netdoll @rats @spiral @zero
> Worse, they brought it to compliance with twatter that by default disallows you from viewing user's timeline unless you log out.
Holy fucking shit. Should have expected. They already do this "You have to log in to view this" engagement funnel horseshit. Gleason broke links so someone gives you a link to a post on Poast (basically the only Soapbox instance anyone bothers to send links to) you can't drop it in the search box without editing it. ("Was it 'notice' or 'notices'? Oh, right, 'activities' and 'objects' are pluralized in the URLs, 'notice' isn't.")
All this awful Twitter cargo cult shit that he does, and for what? Unless you already *are* Twitter, it doesn't actually bump engagement. I have seen exactly this shit happen and I have seen it kill all the KPIs while traffic falls through the floor. It's not just evil and stupid, it's ineffective. Treebird has way more search engine juice and Neko wasn't even trying to do that: his fun project outperforms the years of work on GabFE/Soapbox/OtherSoapbox. (I'd bet money that if Poast added Treebird and let it get crawled, they'd double in size in two months.) Big instances are not a great plan, so Gleason's whole project amounts to using shady tactics to fail at achieving an undesirable outcome.
inb4 Soapbox gets "You've read 12 free Poasts this month. Please create an account to keep reading all of your favorite Poasters!"twl likes this. -
Embed this notice
Katherine Faraday, esnoam princess (kayfaraday@freak.university)'s status on Thursday, 29-Sep-2022 11:30:46 JST
Katherine Faraday, esnoam princess
@rats @p > make block bots flip out
how?
-
Embed this notice
(mint@ryona.agency)'s status on Thursday, 29-Sep-2022 11:30:46 JST 
@p @spiral @KayFaraday @netdoll @rats @zero @MischievousTomato >they added it to Soapbox after I complained enough
Worse, they brought it to compliance with twatter that by default disallows you from viewing user's timeline unless you log out. Same with viewing non-opening posts and follow lists that throw you to login page, it's all intentional sticks in wheels on frontend's side brough to you by :gleason:. -
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Thursday, 29-Sep-2022 11:30:47 JST
pistolero :thispersondoesnotexist:
@rats @zero @KayFaraday @MischievousTomato @netdoll @spiral
> at this point i actually do really want someone to go break pete's blockbot instead of just complaining to knock pete off his high horse
Seconded. PoC||GTFO. (If the UI actually just showed who blocks you and you knew you weren't posting into the void, that would be better than blockbots. I added it to bloat, I think they added it to Soapbox after I complained enough. Pressure from the Masto crowd--I still don't know why the Pleroma devs listen to Eugen's neurotic babyjail concerns--has prevented this from being displayed in the frontend, although the backend does tell you if you're blocked.)
But if you're sick of that from one thread, you can probably understand why my stance on this is "I'm gonna just do it, complain to Alex instead of me." -
Embed this notice
Zero :zt_think: :artix: (zero@strelizia.net)'s status on Thursday, 29-Sep-2022 11:30:48 JST
Zero :zt_think: :artix:
@rats @spiral @KayFaraday @p @netdoll @MischievousTomato
not a single message, you can spam him and his users for every block, just as exploitable, he doesn't care to fix that -
Embed this notice
rats (rats@refusal.biz)'s status on Thursday, 29-Sep-2022 11:30:48 JST
rats
@zero @spiral @KayFaraday @p @netdoll @MischievousTomato at this point i actually do really want someone to go break pete's blockbot instead of just complaining to knock pete off his high horse
-
Embed this notice
All GNU social JP content and data are available under the