Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://fsebugoutzone.org/objects/86038eba-877d-4d98-a43f-4caaef680139">pistolero (p@fsebugoutzone.org)'s status on Tuesday, 17-Jun-2025 15:04:03 JST</a><a href="https://fsebugoutzone.org/users/p" title="p@fsebugoutzone.org"><img src="https://gnusocial.jp/theme/gnusocialjp/default-avatar-stream.png" width="48" height="48" alt="pistolero" style="position: absolute; left: 0; top: 0;">pistolero</a><div><a href="https://awkward.place/objects/3758d947-63ef-45b2-b73d-b126d3f81f51" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/350226" title="lamp@awkward.place">lamp</a></li></ul></div></section><article><a href="https://awkward.place/users/lamp">@lamp</a> <a href="https://varishangout.net/users/Nepiant">@Nepiant</a> <br><br>&gt; The only files I'd upload to a social network are almost always media for other people to look at,<br><br>Every file on any website exists for other people to look at.<br><br>I have uploaded scripts, binaries, a really old build of TempleOS from when it was called LoseThos, PDFs, a shitload of PDFs, text files.  I don't want the server to fuck with it, so I have stopped my server from fucking with it.<br><br>&gt; it doesn't matter if the bytes are changed<br><br>If that is what you want to do, fine.  Doesn't affect me if you don't want to do the things I want to do.<br><br>&gt; what matters is not getting ur exact GPS location exposed.<br><br>This is illusory.  You are giving the server that shit and the server can do what it wants:  remove it before uploading it.  Look at fucking Parler.  Don't upload it if you don't want it to become public because a server with training wheels is not going to save you from your own bad decisions.<br><br>&gt; That's much worse than rare glitch <br><br>"Rare glitch" has gotten people arrested.  If you are paying me for my time, that's one thing, but I run FSE and I'm the one that has to deal with it if FSE gets owned and I'm going to run it this way.<br><br>&gt; that lets ppl mess with the server full of useless public data,<br><br>There is data on any server that is not public:  that is why a compromise is a problem.  Look at what happened to <a href="http://chudbuds.lol">chudbuds.lol</a> and then imagine what would have happened if, instead of dumping Claire's dox, they just decided to leave something that captured credentials passively.  Poast/Baest got hit by an auth token hijack and all the chat messages leaked.<br><br>People on other servers have whined about Pleroma sometimes not caring about email addresses:  Gleason actually filed a bug to try to get Pleroma to remove the option.  But if FSE actually required a real email address, then that would be more personal data that FSE has, making FSE a more valuable target.<br><br>&gt; No I did not see I don't look at 4chan. <br><br>I haven't looked at 4chan itself in a very long time, but the exploit was PDF thumbnail generation.  If you treat uploads as opaque blobs, this entire class of bug is impossible.  So all the admins' email addresses, the code (including the hacks, the special-cased IP addresses, etc.) became public.</article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/5213138#notice-10229022">In conversation</a><time datetime="2025-06-17T15:04:03+09:00" title="Tuesday, 17-Jun-2025 15:04:03 JST">about 11 days ago</time> <span>from <span><a href="https://fsebugoutzone.org/objects/86038eba-877d-4d98-a43f-4caaef680139" rel="external" title="Sent from fsebugoutzone.org via ActivityPub">fsebugoutzone.org</a></span></span><a href="https://fsebugoutzone.org/objects/86038eba-877d-4d98-a43f-4caaef680139">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
pistolero (p@fsebugoutzone.org)'s status on Tuesday, 17-Jun-2025 15:04:03 JSTpistolero
in reply to
- Desire-kun
- lamp
@lamp @Nepiant

> The only files I'd upload to a social network are almost always media for other people to look at,

Every file on any website exists for other people to look at.

I have uploaded scripts, binaries, a really old build of TempleOS from when it was called LoseThos, PDFs, a shitload of PDFs, text files. I don't want the server to fuck with it, so I have stopped my server from fucking with it.

> it doesn't matter if the bytes are changed

If that is what you want to do, fine. Doesn't affect me if you don't want to do the things I want to do.

> what matters is not getting ur exact GPS location exposed.

This is illusory. You are giving the server that shit and the server can do what it wants: remove it before uploading it. Look at fucking Parler. Don't upload it if you don't want it to become public because a server with training wheels is not going to save you from your own bad decisions.

> That's much worse than rare glitch

"Rare glitch" has gotten people arrested. If you are paying me for my time, that's one thing, but I run FSE and I'm the one that has to deal with it if FSE gets owned and I'm going to run it this way.

> that lets ppl mess with the server full of useless public data,

There is data on any server that is not public: that is why a compromise is a problem. Look at what happened to chudbuds.lol and then imagine what would have happened if, instead of dumping Claire's dox, they just decided to leave something that captured credentials passively. Poast/Baest got hit by an auth token hijack and all the chat messages leaked.

People on other servers have whined about Pleroma sometimes not caring about email addresses: Gleason actually filed a bug to try to get Pleroma to remove the option. But if FSE actually required a real email address, then that would be more personal data that FSE has, making FSE a more valuable target.

> No I did not see I don't look at 4chan.

I haven't looked at 4chan itself in a very long time, but the exploit was PDF thumbnail generation. If you treat uploads as opaque blobs, this entire class of bug is impossible. So all the admins' email addresses, the code (including the hacks, the special-cased IP addresses, etc.) became public.
In conversationabout 11 days ago from fsebugoutzone.orgpermalink

Public

Embed Notice

HTML Code

Corresponding Notice