A new security fund opens up to help protect the fediverse
-
I still feel that interoperability between mastadon and Lemmy is kind of messed up. How to browse a Lemmy community through mastodon application?
It’s terrible
-
I can't wait to find out which project has the most security holes
Any guesses?
-
Are you hoping to restart our disagreement through sheer passive-aggressiveness? Okay, sure.
In my view, this is a Mastodon design flaw (or a user-expectation issue or whatever you want to call it.) I already said that, and you're involved in the unproductive-arguer's pastime of pretending not to understand that that's my position, and just aggressively repeatedly reframing things according to your position and hoping I'll knuckle under to it through sheer force of repetition.
I'm not super invested in trying to track down each and every software that might manage to expose the "private" statuses in this way. I just know that as things come and go there are guaranteed to be some. If you have an mbin account and Mastodon account, though, we can try a little experiment. I don't know the outcome, I'm just curious after taking a quick look down the FediDB list and a quick grep through mbin's source code. You can be the one to responsibly disclose to mbin how their ActivityPub-conforming behavior is a problem, if indeed it turns out that it is, since you seem to be extremely committed to the idea that the model of "vulnerability" needs to be applied to this particular ActivityPub-conforming behavior. Since you're a security researcher, having that as a CVE you discovered can be an achievement for you. It's all yours, you can have it.
There are still server softwares our there that are going to be exposing people's private Mastodon posts.
You could've saved yourself a lot of typing there by just admitting to claiming things you actually didn't know.
-
We are tiny in comparison to the rest of the fediverse.
But its actually usable, pixelfed sucks, prob way more actual engagement here, pixelfed is hella ppl posting with no likes or views
-
I can't wait to find out which project has the most security holes
Any guesses?
The ones with the most amount of code lines and dependencies probably. More code = more problems.
-
But its actually usable, pixelfed sucks, prob way more actual engagement here, pixelfed is hella ppl posting with no likes or views
I mean, discoverability is hard, sure, but add a few hashtags and you can get a lot of people to see your posts. also, mentioning a lemmy group as a user posts your post to the community.
-
The ones with the most amount of code lines and dependencies probably. More code = more problems.
IMO poor security is more about a lack of eyes on the code. Projects that have a single developer and a lower user-base will be pretty easy money.
-
There are still server softwares our there that are going to be exposing people's private Mastodon posts.
You could've saved yourself a lot of typing there by just admitting to claiming things you actually didn't know.
Because it is transparently obvious that it's going to happen.
If you're sending your users' private statuses to an ActivityPub server, and just hoping that it's going to choose to keep them private according to certain parameters even though that's not what the spec stays it needs to do, then you're fucking up. The fact that we know that particular instances of particular software are exposing them is a nice demonstration of the harm, a confirmation that you're fucking up when you're doing that, but it's not really needed. It is the absolutely predictable result of some basic principles of security which, as a security researcher, you should absolutely be aware of.
I've repeatedly explained this. You've repeatedly explained your position. We've both had our say. You seem addicted to the concept of "winning" the conversation and wanting to just go back and forth. In that case I would really encourage you to state your position again, and I can state mine again, and we can both have fun doing that for a while. Want to? It sounds like a productive use of both of our time. It's fun, too.
-
I mean, discoverability is hard, sure, but add a few hashtags and you can get a lot of people to see your posts. also, mentioning a lemmy group as a user posts your post to the community.
no one does that mentioning tho, I dont want to flood communities with only my posts
-
no one does that mentioning tho, I dont want to flood communities with only my posts
If I post a picture of a pet or something, I'd mention a community.
-
System shared this topic
