Notices by rats (rats@refusal.biz), page 5
-
Embed this notice
rats (rats@refusal.biz)'s status on Wednesday, 05-Oct-2022 08:12:39 JST 
rats
"the refusal dot biz experience" @cel -
Embed this notice
rats (rats@refusal.biz)'s status on Thursday, 29-Sep-2022 11:30:48 JST
rats
@zero @spiral @KayFaraday @p @netdoll @MischievousTomato at this point i actually do really want someone to go break pete's blockbot instead of just complaining to knock pete off his high horse -
Embed this notice
rats (rats@refusal.biz)'s status on Thursday, 29-Sep-2022 11:30:47 JST
rats
not to suck @p 's dick about this but i legit think its good / noble that he does 'sketchy' things like ignore deletion requests + make blockbots flip out + make everyones dms public because i think ppl generally dont know how much activitypub sucks dick. afaict when he does this its p prominent + public knowledge + now everyone knows in the back of their mind that FSE doesnt honor delete requests so now you know thats a thing thats possible so its not a surprise if someone more malicious is doing that somewhere else
this might just be infosec brain damage for me cuz i just always enjoy a good proof of concept -
Embed this notice
rats (rats@refusal.biz)'s status on Thursday, 29-Sep-2022 11:30:45 JST
rats
@KayFaraday @p
basic idea is blockbots usable as activitypub signal amplifier
input -> you click the block button
-> server needs to push messages out (im not positive now that i type this out if federation mandates pushing for all messages, but if tagging is involved like it usually is, then that is at least 2x amplification, if relays are involved then it gets much much larger)
so if you are generating a larger signal it turns it into a spam cannon you could use to clog up the originating server or send a ton of garbage to a single server in particular if you are involving multiple spambots -
Embed this notice
rats (rats@refusal.biz)'s status on Thursday, 29-Sep-2022 11:30:38 JST
rats
@KayFaraday @spiral @p meaning like - a single simple action causes an instance to send out multiple messages. and then you can load in, for example, a blocklist via csv which will send out several messages for every row -
Embed this notice
rats (rats@refusal.biz)'s status on Thursday, 29-Sep-2022 11:30:37 JST
rats
@KayFaraday @p @spiral so my point here is like, i even care about security but i would not have made it a priority to look into this
pete used it to temporarily bring down someones instance, it made a big scene, because it made a big scene i have a fairly decent idea of how it works + what other things might have a similar issue + a lot of attention is brought to it in general and most ppl are aware of it now -
Embed this notice
rats (rats@refusal.biz)'s status on Thursday, 29-Sep-2022 11:30:28 JST
rats
@MischievousTomato @spiral @KayFaraday @p @netdoll @zero i am in favor of mischief -
Embed this notice
rats (rats@refusal.biz)'s status on Thursday, 29-Sep-2022 11:30:26 JST
rats
@zero @spiral @KayFaraday @p @netdoll @MischievousTomato the ppl angry in this thread should just fire back and get some good rivalries going then imho!! -
Embed this notice
rats (rats@refusal.biz)'s status on Thursday, 29-Sep-2022 11:30:23 JST
rats
@p @spiral @KayFaraday @netdoll @zero @MischievousTomato
yeah i really dont understand why people are so fucking worked up about this, and i don't think they understand either? i think people just want to pretend that security/integrity is not something they have to think about when running a server and are annoyed that they suddenly have to think about it (esp considering neet's response when i said this lol)
turn fedi into a pvp zone. every time you get taken offline is a chance to learn something new about system adminstration. "Losing is fun!" - Toady one -
Embed this notice
rats (rats@refusal.biz)'s status on Thursday, 29-Sep-2022 11:30:22 JST
rats
@zero @spiral @KayFaraday @p @netdoll @MischievousTomato
> one small difference, his posts with "direct messages". everything else is exactly the same, he doesn't care about it being exploitable because he can't even fix his own code
i'll admit i haven't really dug into the code here but from my current understanding of the blockbots and what pete is doing, this doesn't sound exploitable in the same way because it's a single message sent to a single instance (or maybe it doesn't leave the instance if it's just for FSE users?)
but i'll say that i'd be interested in hearing if this is still exploitable! and a good way to make pete care would be to give him a taste of his own medicine and use it to fuck up FSE and give him a problem he needs to go fix immediately :)
> one small difference
this is my fav bug ive seen in a ctf: https://bugs.chromium.org/p/project-zero/issues/detail?id=1710
the v8 javascript engine's jit had a bug where a range of numbers didn't include a "-0" when it should've included one. who even knows what a -0 is? who cares?
not including a -0, it turns out, let people write javascript that could execute arbitrary assembly for anyone visiting the page: https://doar-e.github.io/blog/2019/01/28/introduction-to-turbofan/
small differences - if they are the exact right small difference - can matter a lot -
Embed this notice
rats (rats@refusal.biz)'s status on Friday, 23-Sep-2022 14:45:25 JST
rats
ok now i have xmpp
xmpp:rats@refusal.biz
wow!!! -
Embed this notice
rats (rats@refusal.biz)'s status on Friday, 23-Sep-2022 13:41:46 JST
rats
@r gotcha - it just felt like a very "sweep it under the rug" solution so i wanted to make sure i wasn't doing that :p -
Embed this notice
rats (rats@refusal.biz)'s status on Friday, 23-Sep-2022 13:34:19 JST
rats
@r is it just 'normal' to continue to have like
Sep 22 20:43:41 refusal pleroma: [warn] Ranch acceptor reducing accept rate: out of file descriptors
Sep 22 20:44:08 refusal last message repeated 4928 times
or are there more adjustments i should be making? i at least do not notice an experiential impact from it anymore -
Embed this notice
rats (rats@refusal.biz)'s status on Thursday, 22-Sep-2022 15:14:36 JST
rats
zoomers wont know the experience of seeing mojibake everywhere and thinking that thats just what japanese is -
Embed this notice
rats (rats@refusal.biz)'s status on Wednesday, 21-Sep-2022 19:15:06 JST
rats
@r @p @rats_god
if anyone reading this thread wants to run pleroma on openbsd keep this in the back of your mind because it took me a while to figure out last time
the 'openbsd on pleroma' guide gives you this to add to login.conf:
```
pleroma:\
:datasize-max=1536M:\
:datasize-cur=1536M:\
:openfiles-max=4096
```
you want a colon at the end of each line, so you need
```
pleroma:\
:datasize-max=1536M:\
:datasize-cur=1536M:\
:openfiles-max=4096:
```
lol -
Embed this notice
rats (rats@refusal.biz)'s status on Wednesday, 21-Sep-2022 19:14:56 JST
rats
@r @p @rats_god now THIS one i remember!!!!!! -
Embed this notice
rats (rats@refusal.biz)'s status on Wednesday, 21-Sep-2022 15:42:20 JST
rats
@Princess @rats_god @r -
Embed this notice
rats (rats@refusal.biz)'s status on Wednesday, 21-Sep-2022 15:35:54 JST
rats
@r @p @rats_god hm good to know - you built the erlang 25 port on 7.1 stable? -
Embed this notice
rats (rats@refusal.biz)'s status on Wednesday, 21-Sep-2022 15:25:21 JST
rats
@rats_god @r @p are you running on openbsd? i’m noticing some weirdness on file uploads and am not positive if it’s an httpd max upload size issue or something with relayd i’m not aware of - i don’t think i remember this issue from last time i did this but maybe
All GNU social JP content and data are available under the