Gregory's Server
This is a rather interesting read: https://bengo.is/blogging/2024-10-03-the-challenge-of-activitypub-data-portability/
|
30 posts total
12
Demo of @iftas CCS (content classification service) is now online from #fediforum That's what I was working on designing & building during the first half of this year along with some other people. So I mentioned last night that my open-source work on the fediverse (mastodon, pixelfed, etc) was funded for 10-13 hours per month, in my head I had a figure of €1000/month that I was using as the donation income I receive. I just checked and it's actually closer to €700/month. Your support for my work is greatly appreciated & helps enable work that quietly affects about a million people. ”But Mastodon also has [...] a lot on its plate including integration with Threads“ It's lines like this that makes me completely unable to take those calling for a hard fork of Mastodon seriously. All Mastodon do for Threads is the same they for any fediverse developer having issues federating with them. (And there's certainly limits to that) Along with perhaps writing more FEPs to standardize behaviour, which benefits *everyone*
Show previous comments
 @thisismissem mmm, I think they’re talking about the inevitable scaling needs that come with handling all that federation traffic   @thisismissem You often make perfect sense, and I often feel a bit guilty going on about quoted posts. But only because I saw us in a race to capture journalists. That ship has sailed. But we can now pivot and let Threads lure them in, then contribute new tools to support them and everyone else. Okay, so, remember how I had some big news? Well, I didn't get to announce it yesterday as I was unwell (I've been unwell most of the month and could really do with extra financial support right now!) The big news is that my FIRES project has been granted funding by NLNet (@NGIZero) Entrust fund. What is FIRES? It's a project I've been slowly working since September last year, and provides a server for maintaining and distributing moderation advisories and recommendations.
Show previous comments
  just a little question: who the heck are you to tell others how to manage their own instances?  @thisismissem @NGIZero Soooo happy for you girl!! I remember the miscommunication and how difficult that was, and I’m glad you did resolve it because this project will have such an impact across many fediverse projects!! You totally deserve this, and I’m glad your hard work is being acknowledged and funded! You’re a fucking fediverse rockstar, and now you’ll shine even brighter with the grant and resources to see this through. Gosh I’m just so happy for you ❤️ Fedi-Badge is a cool new shields.io style badge generator for the Fediverse, built on Fedify: https://github.com/dahlia/fedi-badge/tree/main @thisismissem That is so neat, it works well with Pixelfed! https://fedi-badge.deno.dev/@loops@pixelfed.social/followers.svg (edited to clarify I meant February 10th, not like.. March. I mean: time & months changing, what is this business 😂 ) @thisismissem thanks for being awesome and doing the hard work to research & close it out! ❤️ and thanks @pixelfed for building something awesome for the fedi ❤️ Details of the @pixelfed security vulnerability from February 10th have now been published. If you are still using a vulnerable version (39.5% of pixelfed instances as of today), then you should update immediately, otherwise someone may just be able to turn off federation for your instance. https://github.com/pixelfed/pixelfed/security/advisories/GHSA-gccq-h3xj-jgvf Paper on Trust & Safety, titled ‘Securing Federated Platforms: Collective Risks and Responses’ from last year's panels with the Carnegie Endowment for International Peace cohosted by @yoyoel is now available, and it's well worth a read: https://tsjournal.org/index.php/jots/article/view/171 Very pleased that I could participate & contribute to this in a small part. That's something I'd love a reporter covering this spam wave to know: Discord is being used to coordinate illegal activity, and discord has no mechanisms for people to report abuse. abuse@ and support@ emails are dead ends, and their contact form has no "report abuse" option that works. Reporting it via the child safety team also didn't work. Update: TechCrunch covered it: https://techcrunch.com/2024/02/21/discord-took-no-action-against-server-that-coordinated-costly-mastodon-spam-attacks/
Show previous comments
 @thisismissem @verge @404mediaco @theregister I’ve attempted contacting them through their normal support channels and got declined because “they only allow for messages to be reported” Incredibly helpful.  @thisismissem @verge @404mediaco @theregister That is nothing new re: Discord, as it's just garbage SaaS and worse than even Slack or Teams. IMHO noone should use it just by it's Terms and Enshittification alone. #Discord #Cybercrime #Enshittification #SaaS #MicrosoftTeams #Slack #ToS #Spam #Cybercrime @thisismissem Discord’s support channels have been frustratingly useless for years, this is sadly not surprising to me :/ So for an idea of just how much spam there was, for a moment fedidb was showing user-growth during the attack of 40 million accounts: Looks like most of that can be attributed to a test server that had ridiculously inflated user counts.   @thisismissem if I understoof correctly, this is rather unrelated to the spam problem and was caused by someone who was experimenting with a development instance that they created. Something went wrong ... Wowzers, that Mastodon CVE recently was quite something: • You can inject a post that is attributed to any remote user The full technical write up is worth a read: https://arcanican.is/excerpts/cve-2024-23832/discovery.htm
Show previous comments
 @thisismissem @arcanicanis money quote: > But yet, Mozilla paid for a formal security audit of the Mastodon codebase, missed this, and yet this just tumbles into my lap. Great, I just resent the typical nature of the 'security consultancy' industry even more,  @thisismissem I enjoyed the dig at Infosec.exchange in the post. 58.5% of @pixelfed servers still have a critical vulnerability left unpatched. I'll just highlight something: the vulnerability allows a third-party to gain administrative control over your instance if you don't update. You really want to update as soon as possible, there's a reason this is a 9.9/10 vulnerability score. @thisismissem @pixelfed Consider reporting it to @certbund & @cert_eu ... Maybe once it's acknowledged then hosters will intervene because they don't want shit to get abused for malware... @thisismissem @pixelfed hmmm... maybe I can white knight this shit and be the hacker that breaks in, upgrades their instance and leaves lol. Like jailbreakme back in the day. Lol Okay, have just submitted a PR to a fediverse project to fix a critical security vulnerability; CVE score is like 9.9/10. More news once administrators of this servers using this project can upgrade safely. Update: CVE was in @pixelfed, and the advisory is published here: https://github.com/pixelfed/pixelfed/security/advisories/GHSA-gccq-h3xj-jgvf Have submitted confidentially pull requests that fix both their main branch and currently released version. (yes, I manually backported the fix from main branch to their last release because the vulnerability is that critical to fix) Awaiting response from the project maintainers now. What should we call a group of fediverse servers working together in moderation & community practices? I've been using Bloc in quotes, because I'm not sure if that's the right or most correct word for it. Anonymous poll
Poll
Bloc
13
0%
Alliance
12
0%
Coalition
21
0%
Union
0 people voted. 7
0%
Voting ended 11 January at 19:44.
Show previous comments
@thisismissem Ring would please me more for the throwback and other uses it echoes. I like all the options you presented though, especially bloc and coalition  @thisismissem group? May be those group will name themselves and in couple of years we'll have Alliance, Horde, Federation, Union, Hierarchy, Collective and Space.  @thisismissem a co-op ;) I don’t know that this needs to or should be labeled. I totally understand that technically one might want to describe something. But do we have labels for “working together” or other relationships, aka “it’s complicated” ;) To all folks working on #activitypub and the wider #fediverse: happy holidays & merry Christmas! It's okay to take a break, relax, etc. our work can wait a few days to a week, the world won't implode.  @thisismissem Good advice... what a year. Take a breather. And hope you have a great holiday break, @thisismissem ! So that big news? It's that I'm joining the @iftas Advisory Board, bringing my technical expertise to the challenges of moderation and trust & safety that they're working on for independent federated social media. This has been a little while in the making, so I'm very happy that we can announce it.
Show previous comments
 Hmm, I'd really love to find a project sponsor for my work on Mastodon, where it's like €500-1000 per month to dedicate a certain amount of time per month to Mastodon. My work is mostly on the Mastodon Streaming server, but also the OAuth 2.0 setup where I'm trying to make it more standardised. Also, you'd get listed on my website & potentially as a line in PR comments/descriptions. In an AMAZING update, two very generous individuals have gone above and beyond in supporting my work on moderation tooling and trust & safety in the Fediverse. One ( @defn ) became an Active Supporter (€20/month) but also made a one-time contribution of €300, which is coming at a much needed time for me. The other became a Tier 1 Sponsor (€250/month), bringing the total monthly recurring income to €590!!! If you'd like to support my work, then: 12
|
> There's no reason an ActivityPub server should demand to control the end-user's private keys.
Whilst I agree in principle, in practice, management of security keys is a right pain in the ass for end-users. Sure, you could do authentication via a PAKE (OPAQUE / SRP6a), and then derive a key-encryption-key from the users' password, but that introduces a lot of complexity.
If a user looses their security keys, then they can never continue, there is no password reset option there.