savvywolf

@savvywolf@pawb.social

This is a remote user, information on this page may be incomplete. View at Source ↗

Hello there!

I’m also @savvywolf@mastodon.scot , and I have a website at www.savagewolf.org .

⁨Comment⁩ on ⁨Here is a more polished release of nanogram. Fully compatible on raspberry pi now.⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
Two factor authentication won’t help here. You have to build your app with the assumption that any attacker has a valid login and credentials and therefore restrict them to only information they have permission to see.

File uploads are encrypted in transit from the client to the server but not encrypted on the server.

Usually when people talk about e2e encrypted messaging they mean that everything is encrypted. That includes images and text content. The server should not be able to read any contents of any message sent through it.

Again this is a design choice I don’t want gifs.

Why? Sending memes is a core part of any social media experience.

There are filetype checks on line 350 of the app.

Line 350 in both files doesn’t seem to contain any filetype checks. I assume you mean file.content_type. That may not be accurate to the actual file uploaded; it can be spoofed.

Yes deleting is atomic.
```
        # Delete the associated message if it exists
        if chat_file.message_id:
            msg = db.get(Message, chat_file.message_id)
            if msg:
                db.delete(msg)
        ---> Here
        # Delete file from disk
        file_path = os.path.join(CHAT_FILES_DIR, file_uuid)
        if os.path.exists(file_path):
            os.remove(file_path)
```
If the application crashes/closes at the indicated point, then you will delete the message from the database but still have the image on the server. If this is an image served from /img/whatever, it would have no checks beyond a login check.
⁨Comment⁩ on ⁨Here is a more polished release of nanogram. Fully compatible on raspberry pi now.⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:

to the extent Tor is secure

Tor doesn’t automatically secure your app. If your social media instance has 1000 users on it, and one user gets compromised, then the other 999 users shouldn’t have any interactions outside of that user leaked.

web crypto can be utilized for group and 1-1s for an additional layer of encryption

Are file uploads encrypted?

How would you ever discover a filename?

Maybe you have a data leak. Maybe they send the filename in plaintext somewhere. Maybe they take advantage of the fact that UUIDs might be deterministic. But if I may flip the question… Why does an inaccessible post even need to return 403 anyway? It just functions as a big footgun that may cause any other exploits to behave worse.

Even if you have the correct link, if those two conditions arnt satisfied you will not be able to view.

But you can determine its existence or not through the status code.

This was a design choice to have consistency in filetypes. What’s the downside? All browsers will support displaying a jpg.

Gifs will lose any animation, pngs will lose quality. Also, as far as I can tell, there’s nothing stopping a malicious user uploading a non-image file.

Which part are you talking about?

There are two steps to making a post: Upload and store the image and add the post to the database. There’s also similar steps to deleting a post: Removing the image upload and removing the post from the database. Are both these operations atomic?

Everything except the login page, registration link will behind these two checks see (def login) where the @loginrequired logic is defined for each of the app routes.

It’s not that hard for a sufficiently motivated adversary to get an account on a sufficiently large instance. You need to ensure that one user account being compromised doesn’t result in information leakage from unrelated accounts.

This discussion stems from issues I found in just one function. You’re making a product which requires a very high level of security. You need to understand how to write secure code, and your LLM won’t be able to do it for you.

I don’t want to discourage you from programming in general, but making a very secure social media site is a rather complex undertaking for someone new to programming.
⁨Comment⁩ on ⁨Here is a more polished release of nanogram. Fully compatible on raspberry pi now.⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
1. You list “Activist/journalist secure communication” as a use case. Not all countries have freedom of press.
2. Looks like you name images based on a random uuid, so that should protect against filename attacks. But if you do have a filename you can tell whether the image has been an image or not.
Also, looks like all uploads are converted to jpg, regardless as to whether the original image was a jpg (or even an image) or not. Don’t do that.
1. Can you point to where in code this invariant is enforced?
⁨Comment⁩ on ⁨Here is a more polished release of nanogram. Fully compatible on raspberry pi now.⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
Had a quick skim and found this little guy:
```
# ---------- Protected media route ----------
@app.route('/img/<path:name>')
@login_required
def media(name):
    db = SessionLocal()
    try:
        me = current_user(db)
        # Find the post with this image
        post = db.query(Post).filter_by(image_path=name).first()
        if post:
            # Check visibility
            can_view = post.user_id == me.id or db.query(UserVisibility).filter_by(
                owner_id=post.user_id, viewer_id=me.id
            ).first() is not None
            if not can_view:
                abort(403)
        return send_from_directory(UPLOAD_DIR, os.path.basename(name))
    finally:
        db.close()
```
I’ve not read through everything, but there are some security concerns that jump out to me from just this function. Hopefully you can enlighten me on them.

Firstly, what is stopping a logged in user from accessing any image that, for whatever reason, doesn’t have an associated post for it?

Secondly, the return codes for “the image doesn’t exist” (404) and “the image exists but you can’t access it” (403) look to be different. This means that a logged in user can check whether a given filename (e.g. “epstien_and_trump_cuddling.jpg”) has been uploaded or not by any user.

Both of these look to be pretty bad security issues, especially for a project touting its ability to protect from nationstates. Am I missing something?
⁨Comment⁩ on ⁨Released: CyberTools Admin 1.5.0 — Backup/Restore Automation for CyberPanel & Linux Servers⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
There’s tons of backup solutions out there. Why should selfhosters buy a proprietary one?
⁨Comment⁩ on ⁨Are there any games you don't play as it was intended to be played? If so, what game and how?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Last time I used the recomp, which has the randomiser built in. The game looks and runs much nicer through it.

www.shipofharkinian.com
⁨Comment⁩ on ⁨Are there any games you don't play as it was intended to be played? If so, what game and how?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
I grew up with Zelda Ocarina of Time, so now every time I feel like playing it I use a randomiser to put all the items in random locations. It makes every playthrough more unique and interesting.
⁨Comment⁩ on ⁨How do you secure your home lab? Like, physically? From thieves?⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Encryption and offsite backups. If someone nicks it then they don’t get any private information. And with backups it’s easy enough to just push the data onto a new device.
⁨Comment⁩ on ⁨What's your favourite menu music in a game?⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
www.youtube.com/watch?v=yOUUS6JIRQ0

Have a very nostalgic theme for a very specific group of people. :P
⁨Comment⁩ on ⁨Why doesn't Ghost v6 include Fediverse commenting ?⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
So, to address the elephant in the room… Why does commenting on a blog post need any kind of account? Why not have fields for “name” and “comment body” and use capcha and/or manual approval to guard against spam?

Like, why does everything need to be tied to an account nowadays?
⁨Comment⁩ on ⁨Those who are hosting on bare metal: What is stopping you from using Containers or VM's? What are you self hosting?⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
I’ve always done things bare metal since starting the selfhosting stuff before containers were common. I’ve recently switched to NixOS on my server, which also solves the dependency hell issue that containers are supposed to solve.
⁨Comment⁩ on ⁨Backup/Server Options - is Syncthing / Nextcloud really the go?⁩ ⁨⁨4⁩ ⁨months⁩ ago⁩:
Syncing software is not a backup. I’ve had cases where they get confused and end up deleting data. They’ll also blindly copy over corrupted or randomwared files.
⁨Comment⁩ on ⁨Mario 64 wastes SO MUCH MEMORY | Kaze Emanuar⁩ ⁨⁨4⁩ ⁨months⁩ ago⁩:
Imagine falling into lava and hearing “It’s-a okay Kühlschrank, we-a all make-a mistakes”.
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨4⁩ ⁨months⁩ ago⁩:
The problem is checking for malware: It’s very hard to do that and a lot of malware has evolved attempts to avoid detection.
⁨Comment⁩ on ⁨Your favourite piece of selfhosting - Part 1 - Operating System⁩ ⁨⁨5⁩ ⁨months⁩ ago⁩:
I’ve been using NixOS on my server. Having all the server’s config in one place gives me peace of mind that the server is running exactly what I tell it to and I can rebuild it from scratch in an afternoon.

I don’t use it on my personal machine because the lack of fhs feels like it’d be a problem, but when selfhosting most things are popular enough to have a module already.
⁨Comment⁩ on ⁨Simplifying Crypto Parties⁩ ⁨⁨5⁩ ⁨months⁩ ago⁩:
Would it? I would assume a “confirmed human” Fedi account could be worth $5-20. If you live close enough to the library, it’s like 5 mins to pop in, drop off the piece of paper and go about your day. Double if you can sneak in two pieces of paper.
⁨Comment⁩ on ⁨Simplifying Crypto Parties⁩ ⁨⁨5⁩ ⁨months⁩ ago⁩:
What’s stopping someone making a new account every month this way or going to many different libraries and then just selling the account to bot farm operators?
⁨Comment⁩ on ⁨Simplifying Crypto Parties⁩ ⁨⁨5⁩ ⁨months⁩ ago⁩:
How does the library confirm that the account name is connected to an actual person?
⁨Comment⁩ on ⁨How to combat large amounts of Ai scrapers⁩ ⁨⁨5⁩ ⁨months⁩ ago⁩:
It’ll still slow them down and reduce load on your server. I also think many of these crawlers focus on volume; time spent computing the hash is time not spent crawling someone else’s site.
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨5⁩ ⁨months⁩ ago⁩:
Most registrars have some form of whois protection now, so the only people who can easily see it are the registars themselves (and the government that controls them).

Assuming you’re paying for a domain using real money, they’ll need your information on file as part of the online payment anyway, so using a fake id doesn’t really hide anything from them.
⁨Comment⁩ on ⁨How to combat large amounts of Ai scrapers⁩ ⁨⁨5⁩ ⁨months⁩ ago⁩:
I’ve seen people suggesting and using Anubis, haven’t used it myself though.
⁨Comment⁩ on ⁨PewDiePie: I'm DONE with Google⁩ ⁨⁨6⁩ ⁨months⁩ ago⁩:
If it stays up, it’s certainly going to be interesting seeing the difference in view counts between it and his other videos.
⁨Comment⁩ on ⁨What’s the best, reasonably priced, handheld device I can buy to play GameCube games?⁩ ⁨⁨6⁩ ⁨months⁩ ago⁩:
Probably a Steam deck; I’ve used mine to play Gamecube games and it’s worked fine.
⁨Comment⁩ on ⁨XPipe - A connection hub for all your servers: Status update for the v16 release⁩ ⁨⁨6⁩ ⁨months⁩ ago⁩:
Had a quick look through your website and something jumped out at me (about the enterprise edition, I assume that the community edition doesn’t have this clause):

There is not a hard limit for activations per license as we understand the need to run XPipe on many machines per user. There is instead a soft activation/usage limit that is tracked for the license key and uses common usage patterns as a reference.

I may be missing something obvious (it’s a hobby of mine), but I can’t seem to find anywhere what exactly these soft limits are.
⁨Comment⁩ on ⁨I'm the creator of Seedit and I'm here to share how it works and clear up some Concerns/FUDS⁩ ⁨⁨6⁩ ⁨months⁩ ago⁩:

Incorrect

Uhh… No, your link is to Github. If Microsoft decide they don’t like something you’re doing, they can wipe your app off the surface of the planet. At least mirror it to Codeberg or something.

Same thing for Google and Apple by the way, if you want to make a mobile app. They don’t like you, you’re gone from their platform.

They can make you life harder, tracking you, sending you to jail etc but they can’t prevent the initial p2p connection.

Honestly, if I were doing anything that required a uncensorable network connection, “avoiding going to jail” feels like it’d be one of my top priorities…

Also, no, base64 encoding isn’t allowed in the protocol, you literally can’t publish it to the p2p network because there are character limits.

What are you going to do? Ask people politely to not do it?

Nope, how would that make any sense? A community is such if it’s moderated. If it’s unmoderated, it’s not even a community, it would be fully unusable because of spam.

Every time Plebbit has been shilled here, the advertising has always criticized “power-tripping” Reddit and Lemmy[sic] mods and tries to place itself as a “free speech” platform.

Our clients use github.com/plebbit/temporary-default-subplebbits

So your decentralised peer to peer platform has a list of curated nodes that must have nearly 100% uptime.

you can query the ethereum and solana blockchains for .eth and .sol domains respectively with text records/subdomains of value “subplebbit-address” (see: dune.com/plebbit/plebbit-protocol) and we’ll support more decentralized domain systems later.

Just copy ATProto and use did identifiers with DNS. No need to use blockchain for name lookups.

Okay, this project has consumed too much of my time so… I’m probably just going to leave it here. However I do have some last thoughts.

I agree that ActivityPub does have centralization problems. It’s mostly decentralized, but has problems with having many small kingdoms that tend to not always get along. I think that’s something that ATProto gets right; your name and “instance” are decoupled so it’s trivial to hop from one to another. And honestly, I think a Lemmy-like built on top of ATProto could work really well, and may even be better than AP based ones.

But… This project seems to be reinventing the wheel for no good reason. It ignores existing technologies in favour of venture capitalist scams. It has a very muddled set of priorities. The project management is sending out massive red flags. I don’t have trust that this project will solve the problems with Lemmy and Reddit.
⁨Comment⁩ on ⁨I'm the creator of Seedit and I'm here to share how it works and clear up some Concerns/FUDS⁩ ⁨⁨6⁩ ⁨months⁩ ago⁩:

doesn’t rely on any servers or instances .

Yet is hosted on Github and presumably requires a working DNS and HTTPS system to download.

Users connect to your node directly, p2p, and nobody can stop you.

Except your ISP and/or government.

the protocol is text only, to embed media, you need to host it on the regular ( Centralized ) internet, and then you link to it like example.com/image.jpg, and the host will stop hosting that image and report your IP.

So your supposedly non-centralized project requires external hosting? It’s like NFTs where the images were just worthless links. :P Also, uh, base64 encoding is a thing and clients will absolutely start supporting it.

the community creator can assign mods, mods can remove posts from that community.

… Isn’t this what you’ve been trying to avoid?

if a community is badly moderated, the user will never see it, it wont be recommended to him.

Finally, a mention of content discovery. How is your recommendation system implemented? What decides whether a community is worth being recommended?

Also being p2p, seedit is not private, so it can’t really be used for illegal activity

Wait… Isn’t your whole pitch that it was censorship resistant? Can you clarify your threat model here, who are you actually worried about censoring your platform?

[ActivityPub servers] are hard to run and manage.

And using a completely unknown new service and protocol isn’t? I’m sure there’s tons of documentation out there for hosting Mostodon or Lemmy servers.

the problem with federated social media is that each federated instance is just a regular centralized sites.

I agree with this, but not for the reasons you’ve stated.

P2P also scales infinitely, which is the reverse of centralized websites like federated instances: the more users there are, the faster it gets.

P2P scales much worse than centralized systems. Centralized systems scale at N connections per node, while P2P systems scale at N^2 connections per node.

You know what, I don’t mind this project. We need a place for far right people to go to to avoid “censorship” (getting banned from a subreddit for doing nothing but throwing slurs at people) and collaborate on their “plans” (killing minorities) on a platform that is “private” (easily traceable, unencrypted and linked to your IP address).
⁨Comment⁩ on ⁨Why selfhosted social media protocols are hated ?⁩ ⁨⁨7⁩ ⁨months⁩ ago⁩:
It still looks like you’re relying on IP addresses, which means if you want to host a Plebbit server (sorry, “always on peer”) you need one of the following:
- Use a hosting provider, which is something you want to avoid according to your pitch.
- Serve it from your own personal network under your own IP. Given that you’re worried about censorship from even the DNS system, I imagine this is something you absolutely don’t want to do.
⁨Comment⁩ on ⁨Why selfhosted social media protocols are hated ?⁩ ⁨⁨7⁩ ⁨months⁩ ago⁩:
Imagine Bob is hosting a community about cat pictures, and I want to send him a picture of my cat to forward to other followers of that community.

How do I:
- Locate bob given a name or some other ID
- Verify that it is indeed Bob (and not someone pretending to be Bob)
- Prove to Bob that I am indeed who I say I am
- Send that cat picture without anyone in the middle snooping on it
All of this in a political environment that bans the sharing of cat pictures.
⁨Comment⁩ on ⁨Why selfhosted social media protocols are hated ?⁩ ⁨⁨7⁩ ⁨months⁩ ago⁩:

With Plebbit there’s no global admins like Reddit, so you fully own your community and nobody can take it away from you.

I mean, that’s true of Lemmy and any other message board type system based on ActivityPub and ATProto. From a technical standpoint, there is no central authority on them.
⁨Comment⁩ on ⁨Why selfhosted social media protocols are hated ?⁩ ⁨⁨7⁩ ⁨months⁩ ago⁩:
My question is… What does this do that ActivityPub and ATProto doesn’t do? That’s the angle you should approach this from (and be ready to defend… People on Lemmy seem adamant that ActivityPub is perfect and unbeatable…). We’re technical people here, sell it as a technical solution to a problem rather than using buzzwords or comparing it to Bitcoin.

You’ve mentioned serverless many times, but ultimately I need to send content somewhere and ask someone to send me content. I can’t just throw my posts into the wind and expect someone else to get them. So how do I make a post if not by sending it to a trusted person?