Post AVCbCiy06xgLzfXMtk by strypey@mastodon.nzoss.nz
(DIR) More posts by strypey@mastodon.nzoss.nz
(DIR) Post #AVBPdKVdl4cVLpERNY by raccoon@home.social
2023-04-29T17:32:44Z
0 likes, 1 repeats
🧵 [1 / 15]So, #Bluesky is all the hype now and a lot of #Mastodon people are falling for the olde "invite link" trick which not only paints, what is ultimately going to be another social media shitshow, as an exclusive club, but also sneakily turns everyone's curiosity into a vessel for word-of-mouth advertisement to ride piggy back on.Well, maybe the AT Protocol is at least better than #ActivityPub. So, since it is on #Github [1] , let's have a quick look and ... Aww shit! Thread time..
(DIR) Post #AVBPdLTu90pGMjQZJQ by raccoon@home.social
2023-04-29T17:32:44Z
1 likes, 0 repeats
🧵 [2 / 15]The first thing to notice is that Bluesky uses three programming languages: Go, Typescript and JavaScript. TypeScript is actually just JavaScript with some type safety checks nailed on top. Technically that is an improvement, but so is putting a "careful hot" sticker on a cup of coffee. For all points and purposes, the whole AT Protocol layer is written in JavaScript.https://www.youtube.com/watch?v=Uo3cL4nrGOk
(DIR) Post #AVBPdQ5d0hNUet6kfQ by raccoon@home.social
2023-04-29T17:32:44Z
0 likes, 0 repeats
🧵 [3 / 15]JavaScript was originally envisioned as a toy programming language for text manipulation. More specifically: manipulating the HTML inside Netscpape Navigator window (the ancestor of the Firefox webbrowser). As such, it was only informally specified (resulting in browser vendors deliberately implementing slightly incompatible dialects) and lacked a type system (makes a language more difficult to learn, but also prevents a lot of bugs). https://www.youtube.com/watch?v=et8xNAc2ic8
(DIR) Post #AVBPdRjit72nlWsHnk by raccoon@home.social
2023-04-29T17:32:44Z
0 likes, 0 repeats
🧵 [4 / 15]Needless to say, JavaScript was shunned by professionals, but thanks to the rise of the web, the language was doomed for success. Microsoft eventually thought to rectify the original sin, by standardizing JavaScript as ECMAScript and later adding a type checking extension (TypeScript), but by then, the damage was already done.
(DIR) Post #AVBPdTLgtR0clZe7cW by raccoon@home.social
2023-04-29T17:32:44Z
0 likes, 0 repeats
🧵 [5 / 15]For years, people of various (or no) coding skills had been writing JavaScript code and due to the browser compatibility issue that often came down to just copy&pasting someone else's solution without really understanding why it was working. This was fine, because, worst case scenario was hanging someone's browser window. However, in 2009 [2] , someone had the idea of taking the script engine out of the browser, making it a standalone interpreter, and suddenly,
(DIR) Post #AVBPdV2cbIwa10jvAu by raccoon@home.social
2023-04-29T17:32:44Z
0 likes, 0 repeats
🧵 [6 / 15]JavaScript became a system programming language! From a technical point of view, that was a horrible decision, but it allowed for (cheaply) hiring JavaScript Jokeys as (full stack) system engineers or even architects. So naturally, this caught on.
(DIR) Post #AVBPdWqHu8GZbKz6EC by raccoon@home.social
2023-04-29T17:32:44Z
0 likes, 0 repeats
🧵 [7 / 15]Nowadays, we have Node.js (the commandline interpreter), NPM (the packagemanager), a community of copycat programmers and tons of poorly maintained legacy code for solving trivial problems, rotting in the NPM repository. Don't get me wrong, there are things, you should not implement yourself (e.g. anything related to cryptography), but in the Node.JS ecosystem, dependencies are transient: even if you only pull respected packages into your project,
(DIR) Post #AVBPdZ6JVWH2bcUvU8 by raccoon@home.social
2023-04-29T17:32:44Z
0 likes, 0 repeats
🧵 [8 / 15]you are still at risk of them pulling some nonsense, from somewhere else. A typical JavaScript project easily depends directly and indirectly on a couple hundred other projects and is virtually impossible to audit for security.So, how dangerous is it to write your serverside code in JavaScript?
(DIR) Post #AVBPdap16nctwYQ8no by raccoon@home.social
2023-04-29T17:32:45Z
0 likes, 0 repeats
🧵 [9 / 15]In 2022, Russia launched a full scale invasion on Ukraine. To say, this made a lot of people unhappy would be an understatement and there were many forms of protest, including one in which a JavaScript developer thought that his code had the right to nuke the user's system, if run on Russian servers [3] . I'm not going to go into the moral aspects of what he did, nor how haphazardly it was implemented, but thanks to the transient nature of the ecosystem,
(DIR) Post #AVBPdcdkLfndaBAAVs by raccoon@home.social
2023-04-29T17:32:45Z
0 likes, 0 repeats
🧵 [10 / 15]his malicious code got millions of downloads, just by being an indirect dependency.
(DIR) Post #AVBPdeGmI2cCdWQqzQ by raccoon@home.social
2023-04-29T17:32:45Z
0 likes, 0 repeats
🧵 [11 / 15]This was by far not the first attack in the ecosystem nor was it the most sophisticated. Typo squatting, for example is a common problem [4] . Another one is that developers loose interest in their projects and transfer ownership to the first person willing to take over, abandon them altogether or get their developer accounts hacked (this problem is so bad that Github could leverage it as an excuse to force 2FA on developers in 2022 [5] ).
(DIR) Post #AVBPdfwI5BPpoYrWKm by raccoon@home.social
2023-04-29T17:32:45Z
0 likes, 0 repeats
🧵 [12 / 15]So, now we have Bluesky. A company that wrote it's backend code in TypeScript and, as a social network, has a huge target painted on its back. Want to break into their servers? Here's how you'd do it:
(DIR) Post #AVBPdhiBUbJvJOHHcm by raccoon@home.social
2023-04-29T17:32:45Z
1 likes, 0 repeats
🧵 [13 / 15]1. Download the Bluesky sourcecode [1] .2. Look for package.json files, extract the dependencies, build the dependency graph. 3. Find all dependencies where the version code begins with a"^" ("this or newer") - rookie mistake (hint: applies to almost all of them).4. Check third party dependencies for maintainer fatigue (you will probably find a dozen); Offer them to buy their projects.5. Lay low for a few of months, then trojanize to your acquisition; wait for Bluesky to pull.
(DIR) Post #AVBPdjO3GQP8VWsEWO by raccoon@home.social
2023-04-29T17:32:45Z
0 likes, 0 repeats
🧵 [14 / 15]Congratulations, Bluesky now runs your code. What it does is up to you. It lives near the part responsible for handling user identities and content.
(DIR) Post #AVBPdl6krhkzqSnRq4 by raccoon@home.social
2023-04-29T17:32:45Z
0 likes, 0 repeats
🧵 [15 / 15]Sources:[1] https://github.com/bluesky-social[2] https://en.wikipedia.org/wiki/Node.js[3] https://arstechnica.com/information-technology/2022/03/sabotage-code-added-to-popular-npm-package-wiped-files-in-russia-and-belarus/[4] https://www.bleepingcomputer.com/news/security/npm-supply-chain-attack-impacts-hundreds-of-websites-and-apps/[5] https://github.blog/2022-02-01-top-100-npm-package-maintainers-require-2fa-additional-security/
(DIR) Post #AVCbCiy06xgLzfXMtk by strypey@mastodon.nzoss.nz
2023-05-01T06:11:15Z
0 likes, 0 repeats
@raccoonNoob questions; is there an ActivityPub implementation that doesn't use JS? Are all the ones, that do (including Mastodon) subject to the security vulnerability you lay out here?
(DIR) Post #AVD3E3kZ7eIrSSg62y by raccoon@home.social
2023-05-01T11:25:13Z
0 likes, 0 repeats
@strypey On the noob level, I'd say: don't bother. This is not your problem to deal with. As a user, you are not an immediate target.
(DIR) Post #AVD3zlygVDBmEq28jA by strypey@mastodon.nzoss.nz
2023-05-01T11:33:51Z
0 likes, 0 repeats
@bob> this means that it can run in browsers like Lynx without any loss of functionality, whereas Mastodon will just tell the user to go awayHey @screwtape this may be of interest to you and the folks at sdf.org @raccoon
(DIR) Post #AVD65niT9SW9HAS1js by strypey@mastodon.nzoss.nz
2023-05-01T11:57:21Z
0 likes, 0 repeats
@raccoon> As a user, you are not an immediate targetLet's say I'm a noob Mastodon admin. Are all the ActivityPub implementation that use JS subject to the security vulnerability you lay out here?
(DIR) Post #AVD7bFSs8KjcGdiNpw by raccoon@home.social
2023-05-01T12:14:00Z
0 likes, 0 repeats
@strypey Good question. As I said elsewhere in this thread: the Mastodon setup instructions tell you to download node.js - that is a red flag (which would make me look immediately for a different ActivityPub implementation - in fact, I think this was the reason, why I shelved the idea of self hosting my own instance). But the actual problem only comes into play, when node.js runs code automatically pulled via NPM/yarn. Right now, I can't tell you if that is the case (doesn't have to be).
(DIR) Post #AVDkxOu9c2pm811u2S by screwtape@mastodon.sdf.org
2023-05-01T19:35:11Z
0 likes, 0 repeats
@strypey @bob @raccoon Aside, the activitypub protocol refers to sending a Context json via web put and get requests.To use mastodon I endorse #mastodonel in emacs or for your own client-to-server API use, Common Lisp's #tooter official package, which is based on Edi Weitz' drakma for web requests.Another aside, I became a true-believer in #links2 rather than lynx, except that lynx directly supports #gopher and people already have it installed.
(DIR) Post #AVE5d1WsuTYYsQGpDk by strypey@mastodon.nzoss.nz
2023-05-01T23:26:52Z
0 likes, 0 repeats
@raccoon> As I said elsewhere in this thread: the Mastodon setup instructions tell you to download node.jsDo you BlueSky? I just double-checked and I don't see any mention of Mastodon in the thread before I brought it up. Unless I'm missing some posts?
(DIR) Post #AVF1VL3UDxO2SZYkoC by raccoon@home.social
2023-05-02T10:15:18Z
0 likes, 0 repeats
@strypey It's a thread under post 2:https://fediscience.org/@razanau/110283377401667364
(DIR) Post #AVGEEB1BmW9ayBaka0 by strypey@mastodon.nzoss.nz
2023-05-03T00:12:38Z
0 likes, 0 repeats
@raccoon> It's a thread under post 2Can't see it. If nobody on the server I'm on is following the other people in the thread, would I see those posts? I presume I would, unless they're blocking me or the server I'm on, but I'm often surprised to find Mastodon doesn't work quite how I expect.