GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Notices by benjojo (benjojo@benjojo.co.uk)

  1. Embed this notice
    benjojo (benjojo@benjojo.co.uk)'s status on Monday, 28-Apr-2025 23:52:03 JST benjojo benjojo
    • Wolf480pl

    @wolf480pl I don't have a waveform on hand (but I would love to see it from the spanish side), but I assume the Iberian grid very quickly (sub seconds) disassembled itself after (I assume) whatever this supply fault was

    In conversation about 11 days ago from benjojo.co.uk permalink
  2. Embed this notice
    benjojo (benjojo@benjojo.co.uk)'s status on Wednesday, 19-Mar-2025 06:17:32 JST benjojo benjojo
    in reply to
    • Viss
    • Matthew Green
    • Troy Hunt
    • Dan Goodin
    • cR0w :cascadia:

    @dangoodin @troyhunt @cR0w @Viss @matthew_d_green

    (Bear with me on the long reply, trying to cover all bases here)

    I don't think the "leaked credentials detention" product is a red flag per say, Maybe the automatic enablement of it is a can of worms, reason being is that people do not typically think that their web proxy is going to snoop their users credentials, even if it is not storing the full outputs of that snooping.

    There is probably bigger set of discussions that should be made about the data source of these leaked credentials, given they are inevitably sourced actual data breaches of other people's stuff! Though this is basically the commercial exploitation of stolen user data, it is probably for the greater good to use such leaks (however dubiously obtained) to detect leaked credentials in the future, but idk!

    The thing I really wanted to point out in the original post on my side was that it seems relatively unsettling for a company to be very confidently showing off data outputs that have been derived from non explicit consensual snooping of passwords. A lot of replies suggested they could be storing data, but they are almost certainly not storing the passwords themselves (because any breach of that would probably be a company ending event), but CF's demo of the metrics (given how they were obtained) shows a level of hubris which is perhaps a little alarming.

    A lot of replies suggest this is a GDPR problem, I am not a legal guy but I don't think any of this is a GDPR problem, but there is a somewhat obvious question in 2025 (to someone in Europe that is) of an american company snooping the user submitted data of your requests that likely has other PII in it to provide a WAF/etc, but none of this is new to cloudflare.

    Ultimately the websites impacted by default are the ones who don't pay cloudflare anything, there may be a lesser amount of care because of that, but there are probably limits to what kind of stuff people are willing to swallow. Password snooping without explicit consent seems (to me) to get very close to that line, but I am just 1 guy.

    It's worth stepping back a bit and acknowledging that there is a reason that people use cloudflare. It's because the product is actually kind of good, it's solves a bunch of problems of people in a cheap and reasonable way. I don't think there's any foul play going on the widespread adoption of cloudflare, it's more that people will choose what is convenient, and cloudflare is mighty convenient. I wish for better alternatives like many others, but right now some of the alternatives are worse either technically or ethically.

    In conversation about 2 months ago from benjojo.co.uk permalink
  3. Embed this notice
    benjojo (benjojo@benjojo.co.uk)'s status on Wednesday, 19-Mar-2025 06:17:31 JST benjojo benjojo
    in reply to
    • Troy Hunt
    • Dan Goodin

    @troyhunt @dangoodin sure, I use "snooping" very much on purpose, I'm also really aware of what a WAF is given I wrote a very high % of the whole Cloudflare WAF from 2014 to 2017 :P

    https://blog.cloudflare.com/author/ben-cartwright-cox/

    I am working in a different industry now though.

    There’s no explicit “consent” involved in people sending that data

    I'm not talking about the consent of the users, my larger problem is cloudflare enabling features that handles arguably some of the most sensitive data on free customers without asking them, and then publishing metrics on it, It just has a bad vibe.

    It’s also up to the site owner to enable leaked credential check

    This is verifiably not true for free users.

    Here is what I did to confirm that.

    1) I take a domain that is on the free plan, that I have not touched the cloudflare settings for years, check the security tab, 0 "Password leaked" hits

    2) Make a subdomain test.<domain> to point to a test instance

    3) Write a "hello world" test web server that dumps headers

    4) fire a mimic login that wordpress would use:

    $ curl -X POST -d 'log=username&pwd=password&wp-submit=Log+In' https://test.xxxxx.com/wp-login.php

    5) There is no header to confirm it was a compromised password, but if we reload the cloudflare dashboard, it detected the password.

    This is the crux of my problem. I don't think it's ethical to have this kind of feature enabled by default with no consent. The product as a concept is fine, as long as people opt into it.

    In conversation about 2 months ago from benjojo.co.uk permalink

    Attachments


    1. https://benjojo.co.uk/d/G9HZTc5M3Y5VlPxmY7y6D.png

    2. https://benjojo.co.uk/d/G9HsQ6ZrbkjS9F4bpT1g2.png

    3. https://benjojo.co.uk/d/G9HhZQH236sps1mmV84qn.png

    4. Invalid filename.

    5. Invalid filename.
  4. Embed this notice
    benjojo (benjojo@benjojo.co.uk)'s status on Sunday, 15-Dec-2024 21:00:28 JST benjojo benjojo
    in reply to
    • Rich Felker

    @dalias I feel that a bit of a stretch / bad faith reading of things. Web 'refer' headers have existed for a long time and while they have been curbed in scope (some contexts don't send it at all, some don't send the URL path), it feels a bit extreme to compare this to experimentation on human subjects when if anything the current default was out of the norm

    In conversation about 5 months ago from gnusocial.jp permalink
  5. Embed this notice
    benjojo (benjojo@benjojo.co.uk)'s status on Sunday, 15-Dec-2024 20:51:57 JST benjojo benjojo
    in reply to
    • Terence Eden
    • Rich Felker

    @dalias There is nuance here though? _some_ (obviously not you I suppose?) fedi users would like there to be better integrations with publishers (for example, I would prefer that the BBC have their own bots rather than RSS re-publishers), but ️🌈️we live in a society🌈 where you do need to justify doing work, stats help that, and I don't really see a issue if I click a link on mastodon dot social, the BBC knowing that I came from anywhere on mastodon dot social, as @Edent said, there are nuances where you would not want something like that, but generic servers I don't really see the harm, and it does good for a ecosystem (aka, people typically like nice things, this is one of the ways you get nice things)

    I just dont understand the threat model of letting the BBC know I came via mastodon.social

    In conversation about 5 months ago from gnusocial.jp permalink
  6. Embed this notice
    benjojo (benjojo@benjojo.co.uk)'s status on Saturday, 26-Oct-2024 23:10:27 JST benjojo benjojo
    in reply to
    • Ryan Castellucci :nonbinary_flag:

    @ryanc sure that my ideal risk tolerance of being arrested in a foreign country is pretty much zero

    In conversation about 6 months ago from gnusocial.jp permalink
  7. Embed this notice
    benjojo (benjojo@benjojo.co.uk)'s status on Saturday, 26-Oct-2024 02:40:27 JST benjojo benjojo

    @asl remarkably!

    In conversation about 7 months ago from benjojo.co.uk permalink
  8. Embed this notice
    benjojo (benjojo@benjojo.co.uk)'s status on Saturday, 26-Oct-2024 02:40:25 JST benjojo benjojo
    in reply to
    • Jeff Noxon

    @jeff I have a CRS317-1G-16S+ in production for bgp.tools in the NL as a low power "port expander", it's fine, it's just tagging VLANs and it's been fine, I however have hit weird shit ™️ with 'tik's OSPF/BGP and a bunch of the other Layer 3 stuff.

    Tik is likely fine if your entire estate is tik (a lot of WISPs fall into this class) but it can be dicey otherwise. But the less things you are doing the better it all tends to go

    (edit: woops, I didnt mean to boost you, but it seems I cannot un-boost now, my apologies)

    In conversation about 7 months ago from benjojo.co.uk permalink
  9. Embed this notice
    benjojo (benjojo@benjojo.co.uk)'s status on Thursday, 13-Jun-2024 04:30:25 JST benjojo benjojo
    in reply to
    • Ryan Castellucci :nonbinary_flag:

    @ryanc If you want new-ish, I suspect a 1019C-FHTN8 chassis would work well for homelab-ish use cases. Front facing PCIe slot. The vendor I use to build my (non 2nd hand) chassis have a configurator for it, and they seem to be mostly reasonable: https://www.broadberry.co.uk/superservers-supermicro-servers/sys-1019c-fhtn8

    In conversation about a year ago from benjojo.co.uk permalink

    Attachments

    1. Domain not in remote thumbnail source whitelist: www.broadberry.co.uk
      Supermicro SYS-1019C-FHTN8 SuperServer | 1019C-FHTN8
      Configure Supermicro SYS-1019C-FHTN8 SuperServer, Optimised for Virtualisation and Network Security Appliance. Dual GbE LAN ports, Dedicated IPMI LAN.
  10. Embed this notice
    benjojo (benjojo@benjojo.co.uk)'s status on Tuesday, 20-Feb-2024 08:15:52 JST benjojo benjojo
    in reply to
    • Manawyrm | Sarah

    @manawyrm Ok that's too much even by my standards

    In conversation about a year ago from benjojo.co.uk permalink

User actions

    benjojo

    benjojo

    Hope you never notice the outages I cause. Knows where the RFC2616 bodies are buried. recurse.com SP'2 18

    Tags
    • (None)

    Following 0

      Followers 0

        Groups 0

          Statistics

          User ID
          104832
          Member since
          6 Mar 2023
          Notices
          71
          Daily average
          0

          Feeds

          • Atom
          • Help
          • About
          • FAQ
          • TOS
          • Privacy
          • Source
          • Version
          • Contact

          GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

          Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.