So I mentioned last night that my open-source work on the fediverse (mastodon, pixelfed, etc) was funded for 10-13 hours per month, in my head I had a figure of €1000/month that I was using as the donation income I receive.

I just checked and it's actually closer to €700/month.

Your support for my work is greatly appreciated & helps enable work that quietly affects about a million people.

https://support.thisismissem.social

”But Mastodon also has [...] a lot on its plate including integration with Threads“

It's lines like this that makes me completely unable to take those calling for a hard fork of Mastodon seriously.

All Mastodon do for Threads is the same they for any fediverse developer having issues federating with them. (And there's certainly limits to that)

Along with perhaps writing more FEPs to standardize behaviour, which benefits *everyone*

#mastodon

Okay, so, remember how I had some big news? Well, I didn't get to announce it yesterday as I was unwell (I've been unwell most of the month and could really do with extra financial support right now!)

The big news is that my FIRES project has been granted funding by NLNet (@NGIZero) Entrust fund.

What is FIRES? It's a project I've been slowly working since September last year, and provides a server for maintaining and distributing moderation advisories and recommendations.

Fedi-Badge is a cool new shields.io style badge generator for the Fediverse, built on Fedify: https://github.com/dahlia/fedi-badge/tree/main

Details of the @pixelfed security vulnerability from February 10th have now been published.

If you are still using a vulnerable version (39.5% of pixelfed instances as of today), then you should update immediately, otherwise someone may just be able to turn off federation for your instance.

https://github.com/pixelfed/pixelfed/security/advisories/GHSA-gccq-h3xj-jgvf

#pixelfed #security #fediverse

Paper on Trust & Safety, titled ‘Securing Federated Platforms: Collective Risks and Responses’ from last year's panels with the Carnegie Endowment for International Peace cohosted by @yoyoel is now available, and it's well worth a read: https://tsjournal.org/index.php/jots/article/view/171

Very pleased that I could participate & contribute to this in a small part.

#Mastodon #Fediverse #TrustAndSafety

That's something I'd love a reporter covering this spam wave to know: Discord is being used to coordinate illegal activity, and discord has no mechanisms for people to report abuse.

abuse@ and support@ emails are dead ends, and their contact form has no "report abuse" option that works. Reporting it via the child safety team also didn't work.

Update: TechCrunch covered it: https://techcrunch.com/2024/02/21/discord-took-no-action-against-server-that-coordinated-costly-mastodon-spam-attacks/

So for an idea of just how much spam there was, for a moment fedidb was showing user-growth during the attack of 40 million accounts:

Looks like most of that can be attributed to a test server that had ridiculously inflated user counts.

Just 51.4% of #Pixelfed servers are still vulnerable; really hoping we reach below 50%, and ideally below 30% by the 25th February when the responsible disclosure period ends & details can be published.

Wowzers, that Mastodon CVE recently was quite something:

• You can inject a post that is attributed to any remote user
• You can overwrite the server's copy of any remote user
• You can rekey the server's copy of any remote user, by just listing another key

The full technical write up is worth a read: https://arcanican.is/excerpts/cve-2024-23832/discovery.htm

58.5% of @pixelfed servers still have a critical vulnerability left unpatched.

I'll just highlight something: the vulnerability allows a third-party to gain administrative control over your instance if you don't update.

You really want to update as soon as possible, there's a reason this is a 9.9/10 vulnerability score.

#Pixelfed

Okay, have just submitted a PR to a fediverse project to fix a critical security vulnerability; CVE score is like 9.9/10.

More news once administrators of this servers using this project can upgrade safely.

Update: CVE was in @pixelfed, and the advisory is published here: https://github.com/pixelfed/pixelfed/security/advisories/GHSA-gccq-h3xj-jgvf

What should we call a group of fediverse servers working together in moderation & community practices?

I've been using Bloc in quotes, because I'm not sure if that's the right or most correct word for it.

#moderation #fediverse #TrustAndSafety

To all folks working on #activitypub and the wider #fediverse: happy holidays & merry Christmas!

It's okay to take a break, relax, etc. our work can wait a few days to a week, the world won't implode.

So that big news?

It's that I'm joining the @iftas Advisory Board, bringing my technical expertise to the challenges of moderation and trust & safety that they're working on for independent federated social media.

This has been a little while in the making, so I'm very happy that we can announce it.

Re: https://mastodon.iftas.org/@iftas/111539384628815097

Hmm, I'd really love to find a project sponsor for my work on Mastodon, where it's like €500-1000 per month to dedicate a certain amount of time per month to Mastodon.

My work is mostly on the Mastodon Streaming server, but also the OAuth 2.0 setup where I'm trying to make it more standardised.

Also, you'd get listed on my website & potentially as a line in PR comments/descriptions.

https://support.thisismissem.social

In an AMAZING update, two very generous individuals have gone above and beyond in supporting my work on moderation tooling and trust & safety in the Fediverse.

One ( @defn ) became an Active Supporter (€20/month) but also made a one-time contribution of €300, which is coming at a much needed time for me.

The other became a Tier 1 Sponsor (€250/month), bringing the total monthly recurring income to €590!!!

If you'd like to support my work, then:

https://ko-fi.com/thisismissem

Just €20 in recurring monthly donations to go until I reach €300 / mo! Wooo!

I'm also working on some really awesome stuff at the moment, which I hope to be able to share with y'all soon. Have also been having some really interesting conversations with @dansup about #Pixelfed!

Re: https://hachyderm.io/@thisismissem/111014217815470914

TIL: The maximum length of a domain name is 253 characters, and each label (`.` separated part) can only be 63 characters, and this is consistent regardless of whether you use punycode or not.