Notices by Terence Eden (edent@mastodon.social)

This #Caturday, I'm remembering Busby - the Dark Terror.

https://shkspr.mobi/blog/2020/11/a-visitation-of-long-gone-cats/

@Gargron ah! The actor, not the WebFinger?
Thanks.

What are the *technical* steps behind moving a Mastodon account?

I understand how to do it from a user perspective (https://docs.joinmastodon.org/user/moving/#move) but what does the new server need to do?

Is it as simple as adding an "aliases" to the webfinger?

#MastodonAPI #ActivityPub

@foone I built one 😄
https://shkspr.mobi/blog/2020/09/a-floppy-disk-mp3-player-using-a-raspberry-pi/
It was impressively awful.

@Gargron @bruno Interesting! It's always fun to see what happens to early posts. I've got some on Twitter which have been badly mangled over the years.

Is there a good way to convert embedded Tweets into static content?

I've got loads of Twitter content embedded on my WordPress blog. For obvious reasons, I'd like to reduce my reliance on Twitter's API.

Does anyone have a tool that I can feed a URl and it will give me an image of a Tweet + alt text?

(Looking for personal experience. I know how to use a search engine.)

Here's a list of everyone standing for election who has a Mastodon account:

https://candidates.democracyclub.org.uk/numbers/election/parl.2024-07-04/completeness?has_mastodon_username=yes

Only 11 candidates so far.

If you know of any others, please add it to their candidate page.

If you know of anyone standing, please encourage them to join the Fediverse.

#UKPolitics #GE2024

It *is* a genuine notification. But it isn't confirming the bank is calling you.

Should the bank word that differently?

In a rush, would you read it thoroughly?

Most likely, in a panic about the fraud, you'd confirm it was a genuine notification (it is!) and accept it.

3/3

The scammer is on the phone to you.
Their accomplice is on the phone to your bank, pretending to be you.
Your bank send you the notification.
You accept, and scammers proceed to drain your account.

Someone has just lost £18,000 because of this.
https://www.reddit.com/r/UKPersonalFinance/comments/1cih3kd/been_scammed_over_18000_through_my_chase_account/

2/3

You receive a call on your phone.
The caller says they're from your bank and they're calling about a suspected fraud.

"Oh yeah," you think. Obvious scam, right?

The caller says "I'll send you an in-app notification to prove I'm calling from your bank."

Your phone buzzes. You tap the notification This is what you see.

Still think it is a scam?
1/3

Wondering what the world would look like if we implemented "Universal Basic Website".

Entitle everyone to their own domain, a few GB of space, the ability to run simple apps / blogs / etc.

What does the world look like if people aren't beholden to Flickr / Facebook / Google Photos to share their family albums?

#UBI

@erincandescent @evan @Gargron

I'm sorry if I'm being thick (and feel free to tell me) - but...

I get a signature with a keyID of `evil.com/evil#sig`

I get the public key from evil.com

I verify the time, digest, and signature all match.

The body of the message says actor example.com/edent Creates...

When / how do I then check that edent's public key is the same as the one in the keyID?

@Gargron @evan
I see. So both need to be verified?

Or, to put it another way, the location of the key should be taken from the actor, not the signature header?

Another #ActivityPub question about verifying signatures.

A header contains:
`keyID="example.com/user/1#main-key`

But the body of the message might have:
"actor": "example.com/user/2"

How do I check that that message has been signed by the actor in the body?

The URls might not be in the same format. So I guess back to webfinger to request the key from the actor - ignoring the one provided in the header?

🆕 blog! “A simple(ish) guide to verifying HTTP Message Signatures in PHP”

Mastodon makes heavy use of HTTP Message Signatures. They're a newish almost-standard which allows a server to verify that a request made to it came from the person who sent it. This is a quick example to show how to verify these signatures using P…

👀 Read more: https://shkspr.mobi/blog/2024/02/a-simpleish-guide-to-verifying-http-message-signatures-in-php/
⸻
#ActivityPub #cryptography #http #mastodon #security

@evan but how do I test that?

If the keyID is "example.com/keys/123456" that might lead to a fake page which claims to be from the user in the body.

(Feel free to tell me I've overthinking this.)

@Gargron Yet another thing for me to try and fix if I ever get any spare time!

Nerdy #ActivityPub and #oEmbed question.

Why can't I send an "Accept: application/json+oembed" request to a URl to receive the oEmbed version?

Instead, I have to request the full page, look for the <link>, parse that, then request the oEmbed.

Seems inefficient - but am I missing something?

@Gargron oh yeah. And every time they say sorry and pay it a few days later.
I don't need the hassle, so will drop them as a client. Life's too short to work with people who aren't professional.

@Gargron once is a mistake, twice is a coincidence, three times is <del>enemy action</del> incompetence.