Comment

Comment on The fediverse has a bullying problem

It sounds like she’s very upset that Dansup made it explicit that he was fixing this issue, thinking that even exposing it in commit comments (which as we know get way more readership than blog posts) would mean people knew about it, and the less people that knew about it, the safer her partner’s information would be since she is continuing to do this apparently. You will not be surprised to discover that I think that type of thinking is also a mistake.

I agreed with you at first because from your description it sounded like she was saying security through obscurity was a good thing. But that’s not the case.

What she’s saying in the blog post is that this a 0-day and should be handled according to the best practices for 0-day disclosure.

You have to decide if you want to

publish the findings before the fix -> more people will know and exploit the vulnerability but users might be aware and may or may not be able to mitigate sharing even more
publish the findings after the fix -> the opposite

I don’t pretend to know enough to judge which option is the best. But I can’t fault the blog author for pointing out that Dansup didn’t follow best practices.

source

Sort:hotnew top

AwesomeLowlander@sh.itjust.works ⁨1⁩ ⁨week⁩ ago

more people will know and exploit the vulnerability

It’s not even a vulnerability, it’s how AP works by design, is the issue at hand here. Mastodon decided they wanted to implement something not supported by AP, and everybody else had to take the heat for not ‘doing it right’.

source
- Microw@lemm.ee ⁨1⁩ ⁨week⁩ ago
  That is still not the point the commenter and the original blog author were making.
  
  What we can take away from this episode is that Pixelfed implemented the fix in a way that suggests they would not handle a 0 day exploit with a “reql” vulnerability well. And having followed dansup’s projects for a while that doesnt surprise me, because he clearly prefers to work “chaoticly” than in a structured, regulated way.
  
  The “taking the heat” is something completely seprrate and boils down to stupid people on the internet needing to be angry at someone.
  
  source
  - AwesomeLowlander@sh.itjust.works ⁨1⁩ ⁨week⁩ ago
    I’m not sure you can make that conclusion. This isn’t a real vulnerability, and this isn’t a surprise to anybody who knows how the AP protocol works. Dansup didn’t reveal anything that was previously unknown, the blog author just has an axe to grind. It’s unfair to assume that an actual 0 day vulnerability would have been treated the same way.
    
    source
    brrt@sh.itjust.works ⁨1⁩ ⁨week⁩ ago
    I’m genuinely curious what you would call this and what distinguishes it from a vulnerability.
    
    Leaving aside responsibility, the system could have been set up in a way that wouldn’t have exposed user data but wasn’t. This is now fixed and user data isn’t exposed via this method any longer. What is the right word for what it was at the moment this flaw was discovered?
    
    source
    -> View More Comments
    PhilipTheBucket@ponder.cat ⁨1⁩ ⁨week⁩ ago
    Correct. And as I tangentially mentioned, even if you do think this needs to be kept secret, then the blog author would still be wrong, because this blog post is doing is doing way more “harm” by publicizing the issue than any amount of commit notes ever could.
    
    But yes, trying to keep this secret like a 0-day is completely the backwards model for how to handle it.
    
    source
- brrt@sh.itjust.works ⁨1⁩ ⁨week⁩ ago
  I’d argue that it is still a vulnerability in this scenario. But point taken, it’s always important to find the root cause and not just put blame on the person who stumbled into the trap.
  
  source
skullgiver@popplesburger.hilciferous.nl ⁨1⁩ ⁨week⁩ ago
I don’t think dansup was in the wrong here. Yes, it’s a security issue I suppose, but the problem lies within the underlying protocol. Any server you interact with can ignore any privacy markers you add to posts, you’re just not supposed to do that.

Whether this is a 0day depends on what you expect out of the Fediverse. If you treat it like a medium where every user or server has the potential to be hostile, like you probably should, this is a mere validation logic bug. If you treat it like the social media many of its servers are trying to be, it’s a gross violation of your basic privacy expectations.

source
- ThorrJo@lemmy.sdf.org ⁨1⁩ ⁨week⁩ ago
  
  the problem lies within the underlying protocol.
  
  The problem lies with Gargron doing what Gargron does, implementing whatever the f he wants for “the Mastodon network” and not giving a crap how it affects the health of the overall fediverse.
  
  Hell, this isn’t even the first time there’s been drama over Mastodon’s advisory post scopes, not by a long shot. I kinda wish I’d saved receipts from the last couple times, some highly experienced devs have chimed in in the past.
  
  source
  - skullgiver@popplesburger.hilciferous.nl ⁨1⁩ ⁨week⁩ ago
    Mastodon is just one of many applications that uses AP for their own custom purposes. MissKey and derived software has some kind of emoji response feature to posts that’s basically unimplemented anywhere else. Lemmy’s boosting trick to make comment sync make interoperability with timeline based social media a spamfest.
    
    Maybe I should check again, but last time I looked into it there were no commonly used ActivityPub compliant servers. Everyone does their own thing just a little different to make the protocol work for their purposes. Even similar tools (see: MissKey/Mastodon, Lemmy/Kbin) took a while to actually interoperate.
    
    As far as I can tell, the idea behind the original design, where servers are mostly content agnostic and clients decide on rendering content in specific ways, hasn’t been executed by anyone; servers and clients have been mixed together for practical reasons and that’s why we get these issues.
    
    source