076萌SNS
  • Login

  • Public

    • Public
    • Network
    • Groups
    • Popular
    • People

Conversation

Notices

  1. pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Thursday, 25-May-2023 15:25:58 JST pistolero :thispersondoesnotexist: pistolero :thispersondoesnotexist:
    :hacker_f::hacker_s::hacker_e:

    Have to go to the hospital for family, will likely be indisposed a few days, maybe longer. If anything bad happens, DM me. If FSE goes down, my response time will be atrocious. So, you know...I guess MKULTRA is in charge. :nada:
    In conversation Thursday, 25-May-2023 15:25:58 JST from freespeechextremist.com permalink
    • Machismo repeated this.
    • ringo (ringo@talk-here.com)'s status on Thursday, 25-May-2023 15:25:57 JST ringo ringo
      in reply to
      @p

      may your family be blessed by the hand of the almighty YHVH, and be brought to healing if it's what he wants.

      <3

      be well sir
      In conversation Thursday, 25-May-2023 15:25:57 JST permalink
    • pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Thursday, 25-May-2023 15:30:00 JST pistolero :thispersondoesnotexist: pistolero :thispersondoesnotexist:
      in reply to
      • Kerokeronim
      @MK2boogaloo Despite my efforts, the TSA does not care about me.
      In conversation Thursday, 25-May-2023 15:30:00 JST permalink
    • Kerokeronim (mk2boogaloo@freespeechextremist.com)'s status on Thursday, 25-May-2023 15:30:01 JST Kerokeronim Kerokeronim
      in reply to
      @p gl lel.
      In conversation Thursday, 25-May-2023 15:30:01 JST permalink
      Machismo repeated this.
    • Kirino Kousaka (kirino@seal.cafe)'s status on Saturday, 27-May-2023 02:51:26 JST Kirino Kousaka Kirino Kousaka
      in reply to
      And as it turned out... something did happen
      In conversation Saturday, 27-May-2023 02:51:26 JST permalink
    • pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Saturday, 27-May-2023 02:51:26 JST pistolero :thispersondoesnotexist: pistolero :thispersondoesnotexist:
      in reply to
      • Kirino Kousaka
      @Kirino So I hear. Still looking at it while I plow through notifications.
      In conversation Saturday, 27-May-2023 02:51:26 JST permalink
      Machismo likes this.
    • Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug: (kirby@mstdn.starnix.network)'s status on Saturday, 27-May-2023 20:43:59 JST Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug: Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug:
      in reply to

      @p pleroma decided to have a bug that allows javascript code to be executed if you upload a javascript script. Since the script is @ root domain its just automatically executed apparently. We don't have a media proxy so remote users can't really do anything but local users can :D

      In conversation Saturday, 27-May-2023 20:43:59 JST permalink
      Machismo repeated this.
    • pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Saturday, 27-May-2023 20:43:59 JST pistolero :thispersondoesnotexist: pistolero :thispersondoesnotexist:
      in reply to
      • Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug:
      @kirby That doesn't work on FSE because of our paranoid CSP setting.

      Paranoid twitchy hackers stay winning.
      In conversation Saturday, 27-May-2023 20:43:59 JST permalink
    • Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug: (kirby@mstdn.starnix.network)'s status on Saturday, 27-May-2023 20:44:00 JST Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug: Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug:
      in reply to

      @p something bad has happened

      In conversation Saturday, 27-May-2023 20:44:00 JST permalink
    • Fever (jonnyfever@freespeechextremist.com)'s status on Sunday, 28-May-2023 17:28:44 JST Fever Fever
      in reply to
      • Twoinchdestroya
      • ringo
      @p @Twoinchdestroya @ringo
      I can only imagine the amount of attacks you instance guys have too deal with, Jesus.

      Could you imagine drunk Jonny reacting too an instance attack? Not good. Haha
      In conversation Sunday, 28-May-2023 17:28:44 JST permalink
      Machismo repeated this.
    • pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Sunday, 28-May-2023 17:28:44 JST pistolero :thispersondoesnotexist: pistolero :thispersondoesnotexist:
      in reply to
      • Twoinchdestroya
      • Fever
      • ringo
      @JonnyFever @Twoinchdestroya @ringo Ha, Drunk Pete has had to mitigate before. I can hack when I'm too drunk to talk, though, so it works out usually.
      In conversation Sunday, 28-May-2023 17:28:44 JST permalink
    • pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Sunday, 28-May-2023 17:28:45 JST pistolero :thispersondoesnotexist: pistolero :thispersondoesnotexist:
      in reply to
      • Twoinchdestroya
      • ringo
      @Twoinchdestroya @ringo Basically, Poast fetches it from the other server and then serves it to you instead of just embedding the image directly.

      That was part of the hack, the media proxy meant that the image was being served from the local server, but this was mainly how it got Baest.
      In conversation Sunday, 28-May-2023 17:28:45 JST permalink
    • Twoinchdestroya (twoinchdestroya@poa.st)'s status on Sunday, 28-May-2023 17:28:46 JST Twoinchdestroya Twoinchdestroya
      in reply to
      • ringo

      @p @ringo Okay, so if I am understanding correctly, how media is accessed by Poast is to directly fetch it instead of directly linking to the source.

      Was that a cause to the hack? Some media or link that poast fetched that was malicious and stored in the database?

      In conversation Sunday, 28-May-2023 17:28:46 JST permalink
    • Twoinchdestroya (twoinchdestroya@poa.st)'s status on Sunday, 28-May-2023 17:28:47 JST Twoinchdestroya Twoinchdestroya
      in reply to
      • ringo

      @p @ringo What does that mean? In laymen terms

      In conversation Sunday, 28-May-2023 17:28:47 JST permalink
    • pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Sunday, 28-May-2023 17:28:47 JST pistolero :thispersondoesnotexist: pistolero :thispersondoesnotexist:
      in reply to
      • Twoinchdestroya
      • ringo
      @Twoinchdestroya @ringo It means that Poast fetches images and serves them locally instead of just linking to the image on FSE. On FSE's end, media proxy requests are harshly rate-limited and in excessive cases, blocked entirely.

      The exploit relied on media proxy serving requests from the same domain as the backend uses, so cookies and local storage (segmented by domain, so Poast can see its own cookies but NYT cannot see Poast cookies) for Poast were visible.
      In conversation Sunday, 28-May-2023 17:28:47 JST permalink
    • Twoinchdestroya (twoinchdestroya@poa.st)'s status on Sunday, 28-May-2023 17:28:48 JST Twoinchdestroya Twoinchdestroya
      in reply to
      • ringo

      @p @ringo Is there an issue with FSE, on my poast account, I can’t see any of their pfp or media?

      In conversation Sunday, 28-May-2023 17:28:48 JST permalink
    • pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Sunday, 28-May-2023 17:28:48 JST pistolero :thispersondoesnotexist: pistolero :thispersondoesnotexist:
      in reply to
      • Twoinchdestroya
      • ringo
      @Twoinchdestroya @ringo FSE is probably still killing media proxy. After this hack, probably everyone should.
      In conversation Sunday, 28-May-2023 17:28:48 JST permalink
    • pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Sunday, 28-May-2023 17:28:49 JST pistolero :thispersondoesnotexist: pistolero :thispersondoesnotexist:
      in reply to
      • ringo
      @ringo :bigbosssalute:
      In conversation Sunday, 28-May-2023 17:28:49 JST permalink
    • kumicota (kumicota@bae.st)'s status on Sunday, 28-May-2023 17:36:38 JST kumicota kumicota
      in reply to
      • J上校🎄🎄🇺🇦
      • Kirino Kousaka
      @p @colonelj @Kirino CSP? I'm thinking into maybe began to build my own instance but because I got fired, nowadays will be hard to rent a server
      In conversation Sunday, 28-May-2023 17:36:38 JST permalink
    • pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Sunday, 28-May-2023 17:36:38 JST pistolero :thispersondoesnotexist: pistolero :thispersondoesnotexist:
      in reply to
      • J上校🎄🎄🇺🇦
      • kumicota
      • Kirino Kousaka
      @kumicota @Kirino @colonelj CSP is a header used to limit permissions for what can be used and how. FSE's is strict enough that even inline CSS doesn't work on attached HTML files. Here's the relevant information: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
      In conversation Sunday, 28-May-2023 17:36:38 JST permalink

      Attachments

      1. Content Security Policy (CSP) - HTTP | MDN
        from MozDevNet
        Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.
    • pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Sunday, 28-May-2023 17:36:39 JST pistolero :thispersondoesnotexist: pistolero :thispersondoesnotexist:
      in reply to
      • J上校🎄🎄🇺🇦
      • kumicota
      • Kirino Kousaka
      @kumicota @Kirino @colonelj Luckily, FSE has no admins, no media proxy, no link previews, and paranoid CSP.
      In conversation Sunday, 28-May-2023 17:36:39 JST permalink
    • kumicota (kumicota@bae.st)'s status on Sunday, 28-May-2023 17:36:40 JST kumicota kumicota
      in reply to
      • J上校🎄🎄🇺🇦
      • Kirino Kousaka
      @p @colonelj @Kirino F
      In conversation Sunday, 28-May-2023 17:36:40 JST permalink
    • kumicota (kumicota@bae.st)'s status on Sunday, 28-May-2023 17:36:41 JST kumicota kumicota
      in reply to
      • J上校🎄🎄🇺🇦
      • Kirino Kousaka
      @Kirino @colonelj @p bae.st was hacked too?
      In conversation Sunday, 28-May-2023 17:36:41 JST permalink
    • pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Sunday, 28-May-2023 17:36:41 JST pistolero :thispersondoesnotexist: pistolero :thispersondoesnotexist:
      in reply to
      • J上校🎄🎄🇺🇦
      • kumicota
      • Kirino Kousaka
      @kumicota @Kirino @colonelj Yeah, admin token.
      In conversation Sunday, 28-May-2023 17:36:41 JST permalink
    • J上校🎄🎄🇺🇦 (colonelj@freespeechextremist.com)'s status on Sunday, 28-May-2023 17:36:42 JST J上校🎄🎄🇺🇦 J上校🎄🎄🇺🇦
      in reply to
      • Kirino Kousaka
      @Kirino @p suspicious timing tbqh 🤔
      In conversation Sunday, 28-May-2023 17:36:42 JST permalink
    • Kirino Kousaka (kirino@seal.cafe)'s status on Sunday, 28-May-2023 17:36:42 JST Kirino Kousaka Kirino Kousaka
      in reply to
      • J上校🎄🎄🇺🇦
      >p, operator of one of the larger instances who would have intimate knowledge with the software / admin api goes missing

      >baest / poast (arguably their "competitors" in terms of users) get super hacked


      HE CAN'T KEEP GETTING AWAY WITH IT!!!
      In conversation Sunday, 28-May-2023 17:36:42 JST permalink
    • † top dog :pedomustdie: (dcc@annihilation.social)'s status on Sunday, 28-May-2023 17:37:22 JST † top dog :pedomustdie: † top dog :pedomustdie:
      in reply to
      • J上校🎄🎄🇺🇦
      • kumicota
      • Kirino Kousaka
      @p @kumicota @colonelj @Kirino you use Content-Security-Policy: default-src 'self' correct?
      In conversation Sunday, 28-May-2023 17:37:22 JST permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

076萌SNS is a social network, courtesy of 076. It runs on GNU social, version 2.0.2-beta0, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All 076萌SNS content and data are available under the Creative Commons Attribution 3.0 license.