Post AW2BdbQs6CzMfdqcBE by parker@pl.psion.co
(DIR) More posts by parker@pl.psion.co
(DIR) Post #AW21NmHczNKI9JL6GW by graf@poa.st
2023-05-26T01:34:52.752683Z
160 likes, 129 repeats
hey friends, on may 19, 2023 an unknown user registered the domain name fedirelay.xyz and setup a fake mostr (nostr) relay to listen for requests on the fediverse.on may 20, 2023 at 20:52 (utc) a user uploaded the attached document to poast. it was originally an obfuscated javascript file (unobfuscated and attached it here, renamed to .txt so you can view it in any editor).what this javascript file does is take the viewers oauth token, encode it to make it look like a nostr pubkey and then forced the clandestine mostr relay to look up that user locally giving that server the encoded token all while appearing to be a legitimate mostr (nostr) bridge i have taken steps to completely limit access to the admin api and corrected any CSP or other issues that could possibly have contributed to this, however most of you are still vulnerable to it. the default pleroma install serves media files on your root domain as a local folder (i.e. yourdomain.xyz/media) and the default CSP for any site is to allow executing scripts via the root domain. in order to prevent this you should take steps to either move your media from yourdomain.xyz/media to media.yourdomain.xyz (or any subdomain outside of your root domain) or perhaps by limiting the CSP for that subdirectory via nginx configuration.if you are an instance owner, the obfuscated file hash is `b2977f2d97f598d2ebd6dcf37afd9047b5da2b6dc95a7b2824fb111c906fb117` so you can search yourdomain.xyz/media/b2977f2d97f598d2ebd6dcf37afd9047b5da2b6dc95a7b2824fb111c906fb117.js and see if you have it on your server. sorry to anybody i let down but i could never have foreseen this level of sophistication and i would not have ever expected it. now that we are aware of it, we will be more diligent in the future. thanks for being here with us still friends
(DIR) Post #AW21WMjLMbbLVKOkKG by DK_Dharmaraj@poa.st
2023-05-26T01:36:28.281829Z
37 likes, 2 repeats
@graf State actor suspected?
(DIR) Post #AW21d5fXCDKQcGp5ma by OceanRedux@poa.st
2023-05-26T01:37:40.947955Z
3 likes, 0 repeats
@graf RIP š
(DIR) Post #AW21eBVGzNWb08XrEG by MemeLandfill@poa.st
2023-05-26T01:37:52.988295Z
1 likes, 0 repeats
@graf must have been a nose don't sweat it mate
(DIR) Post #AW21geI6vauErcZ0SG by mona@frennet.xyz
2023-05-26T01:38:21.271Z
1 likes, 0 repeats
@graf@poa.st how would this effect misskey since it handles uploads and storing of media differently?
(DIR) Post #AW21hcuTY5FGryyUaG by IsraelDelendaEst@poa.st
2023-05-26T01:38:29.576154Z
18 likes, 0 repeats
@DK_Dharmaraj @graf absolute state actor maybe
(DIR) Post #AW21iatUWs6ouIyYNc by graf@poa.st
2023-05-26T01:38:38.577823Z
5 likes, 0 repeats
@mona @mona as far as i know this is strictly pleroma (and maybe just pleromafe)
(DIR) Post #AW21mVgnp1LTvJuLq4 by mona@frennet.xyz
2023-05-26T01:39:24.792Z
4 likes, 1 repeats
@graf@poa.st very interesting this is a bit crazy to use a fake nostr node wow
(DIR) Post #AW21sXUK2zaREuwfJI by MeBigbrain@poa.st
2023-05-26T01:40:28.462676Z
5 likes, 0 repeats
@graf They sure go to great lengths for their faggotry.
(DIR) Post #AW223UfoqtEVhCXw00 by Forgetful_Gynn@poa.st
2023-05-26T01:41:50.383569Z
1 likes, 0 repeats
@graf Why were DM's being archived for so long and visible to mods to begin with?
(DIR) Post #AW223VI6YXrFbwSVfs by graf@poa.st
2023-05-26T01:42:24.844529Z
4 likes, 0 repeats
@Forgetful_Gynn ? thats how the site functions? it was never visible to mods, it is only visible to admins on poast
(DIR) Post #AW226o3fEl78gWHN7w by Tony@clew.lol
2023-05-26T01:43:04.344779Z
1 likes, 0 repeats
Thank you for the tips and figuring out the problem! Retards will stop at nothing to point fingers.
(DIR) Post #AW22EaAkkPBFw5Iq5w by Forgetful_Gynn@poa.st
2023-05-26T01:43:42.523261Z
3 likes, 0 repeats
@graf Admins, sorry. Will the site be changed to prevent archiving of DM's going forward? For the longest time now i've not been able to scroll up very far in mine, so I assumed it wasn't stored.
(DIR) Post #AW22EaooLTDtwK2pX6 by graf@poa.st
2023-05-26T01:44:25.960824Z
2 likes, 0 repeats
@Forgetful_Gynn thats a front end bug but the unfortunate part is if we do that, people who expect them to be there will be upset if they are gone. people who have memories or something similar in their dms. it would have to be a site wide decision to truncate them after x
(DIR) Post #AW22HDR1k23AHlAdai by Earmuffs@bae.st
2023-05-26T01:44:56.745105Z
0 likes, 0 repeats
@Forgetful_Gynn @graf It's how the software functions mate, though only admins can see them, not modsI don't think the mod function even works, though maybe it's fixed now, dunno
(DIR) Post #AW22KqK3cBALlIdkSu by WaifuPoaster88@poa.st
2023-05-26T01:45:34.782628Z
9 likes, 0 repeats
@graf All good we know what you are up against and understand.
(DIR) Post #AW22M4Q2gp6xls1bLU by EdBoatConnoisseur@poa.st
2023-05-26T01:45:48.766736Z
12 likes, 2 repeats
@graf interesting, that attack method suggests it was someone deeply familiar with how pleroma and nostr work, with the age of nostr there begs the question on whether it was used out of convenience or because of an intrinsic architecture reason, but for someone to know where to attack like this the question arises, was this someone or a group who dedicated time to learn the ins and outs of pleroma until finding a suitable hole or was this someone who has used pleroma long enough to find this hole, perhaps even someone who has done some development of pleroma, because i donāt see much people out there with enough knowledge of the api and architecture of the involved software to pull this off, iād say that there would barely be 20 people out there that can come up with something like this.
(DIR) Post #AW22PakSwiyouLFzRg by synapsid@poa.st
2023-05-26T01:46:26.817290Z
2 likes, 0 repeats
@graf @Forgetful_Gynn Possible to make this an āopt-in / opt-outā thing if people do or donāt want to keep DMs?
(DIR) Post #AW22QHOIP1nPA2DOMK by Bellerophon@poa.st
2023-05-26T01:46:34.531777Z
1 likes, 0 repeats
@graf Forgive my ignorance on the subject in advance: what data is vulnerable to this attack? Someone mentioned DMs earlier, is there anything else of concern?
(DIR) Post #AW22TNxMRrvaOO66fg by AnimeTradCath@poa.st
2023-05-26T01:47:05.840803Z
4 likes, 0 repeats
@graf >i have taken steps to completely limit access to the admin api and corrected any CSP or other issues that could possibly have contributed to this, however most of you are still vulnerable to it. the default pleroma install serves media files on your root domain as a local folder (i.e. yourdomain.xyz/media) and the default CSP for any site is to allow executing scripts via the root domain. in order to prevent this you should take steps to either move your media from yourdomain.xyz/media to media.yourdomain.xyz (or any subdomain outside of your root domain) or perhaps by limiting the CSP for that subdirectory via nginx configuration.I'm not the best with computers so this is all Greek to me.
(DIR) Post #AW22Vhz6xGtF5W1XOK by Eiswald@poa.st
2023-05-26T01:47:33.242066Z
45 likes, 7 repeats
@DK_Dharmaraj @graf >could never have foreseen this level of sophisticationBeat me to it. Literally reads like a private corporation, probably state affiliated (pick of the liter with these seething kikes), has a bone to pick with Poast and other instances. There's also a fairly good chance that this was just a scare tactic.They want to drive users away from platforms like this for obvious reasons, to where I don't know because I cannot imagine anyone here going to twitter or some other curated, algorithmically policed platform.Whoever it was they were probably very skilled and either paid to do it or have money behind them to begin with. I have no reason to leave and really see no good reason to leave.Taking a page from what Count Dankula had to say on matters like this and something I've long believed. I don't care how secure or safe that you think you or the platform or the methods you use are, you are being watched. If (((they))) want to keep tabs on you they can and will and there's nothing that can be done to prevent it short of pulling the plug on the internet. Always assume that EVERYTHING you do on the internet is being monitored.Anyway. This whole matter stinks to high hell and to TL;DR: you're right. It stinks like, and I hate to fucking say it, a glownigger.
(DIR) Post #AW22WRlYjzNl4o2Mee by justnormalkorean@poa.st
2023-05-26T01:47:40.698042Z
21 likes, 3 repeats
@EdBoatConnoisseur @graf I never trusted that guy 098709872459176491544051054086556106541
(DIR) Post #AW22bGJYkFe50YEj1U by Turkleton@poa.st
2023-05-26T01:48:33.618184Z
1 likes, 0 repeats
@AnimeTradCath @graf Same lol
(DIR) Post #AW22d91snm1czbrlDM by Owl@nicecrew.digital
2023-05-26T01:48:55.083623Z
1 likes, 0 repeats
I wish everyone would have defederated from those assholes hour zero.
(DIR) Post #AW22eBCODmSQ0jH3Tc by monsterislandcolonizer@poa.st
2023-05-26T01:49:05.225673Z
2 likes, 0 repeats
@graf Seems like a lot so that Ralph could brag on Twitter.
(DIR) Post #AW22gULtyq2BzdpAem by Whitewall_Blasphemy@poa.st
2023-05-26T01:49:30.077716Z
2 likes, 0 repeats
@graf This sounds vaguely similar to buying up .zip and other compressed file format styled domain names to hook file systems remotely via user error or slight of hand tourism of a web site.
(DIR) Post #AW22rFqSG3nGBYFUNk by justnormalkorean@poa.st
2023-05-26T01:51:26.251243Z
3 likes, 0 repeats
@Owl @EdBoatConnoisseur @graf I still don't understand the pull of becoming a string of random numbers and letters
(DIR) Post #AW22xeOrsMcK4xOZ04 by Tripp@poa.st
2023-05-26T01:52:36.105220Z
2 likes, 0 repeats
@graf thats fucked
(DIR) Post #AW22xqrJYQVAienS0O by TheWanax@poa.st
2023-05-26T01:52:17.118492Z
0 likes, 0 repeats
@graf Can you clarify the part about access to media in our computer root folder?Can they use the media to enter and gain root based on the folder placement?
(DIR) Post #AW22xrXr0GWsqahQJM by graf@poa.st
2023-05-26T01:52:36.047113Z
2 likes, 0 repeats
@TheWanax that part is for instance admins only sorry
(DIR) Post #AW232ndmwl62BbpU2q by EdBoatConnoisseur@poa.st
2023-05-26T01:53:31.653615Z
11 likes, 0 repeats
@Eiswald @DK_Dharmaraj @graf 1 tell dk_dharma to unblock me (i know it wont work)2 i doubt it was a glownigger itself, i would put my bucks on the actual attacker having been a fediverse admin who has beef to pick with graf and friends who simply took the opportunity to be a gun for hire and recieve remuneration to pull this one off. you know if you are good at something you donāt do it for free and all that.
(DIR) Post #AW234SD5b1wMId87EG by djsumdog@djsumdog.com
2023-05-26T01:53:48.469486Z
4 likes, 1 repeats
Interesting attack vector. Alex suggested blocking access to the admin api endpoints as a perpetuation, limiting it by IP, but it looks like that wouldn't work in this situation as an admin would be running the exploit, inadvertently, from their own browser.
(DIR) Post #AW234vtdDwCYMyG048 by TheWanax@poa.st
2023-05-26T01:53:32.920506Z
0 likes, 0 repeats
@graf Okay, so to clarify, average users aren't impacted by that?Also, could they have loaded media with backdoors if saved to our computers?
(DIR) Post #AW234wT568Ye8uqJJw by graf@poa.st
2023-05-26T01:53:51.790071Z
3 likes, 0 repeats
@TheWanax nothing but your tokens would have been taken if you came across it and they have been forcefully reset
(DIR) Post #AW238fD7Ce2hmI9K0O by Sui@decayable.ink
2023-05-26T01:54:36.151688Z
0 likes, 0 repeats
@Decayable Update
(DIR) Post #AW23C5ZReXs4OwE9FA by graf@poa.st
2023-05-26T01:55:08.646951Z
3 likes, 0 repeats
@djsumdog that was my first course of action. his post is a copypaste of my first step to limit the attack surface while looking for what was going on
(DIR) Post #AW23HtBobAsJjtwMOO by matty@nicecrew.digital
2023-05-26T01:56:16.732938Z
5 likes, 0 repeats
Holy shit NGO operation confirmed
(DIR) Post #AW23JG4f02ep0KFLXc by Dan_Hulson@poa.st
2023-05-26T01:56:29.602549Z
31 likes, 3 repeats
@Eiswald @DK_Dharmaraj @graf What a fucking night to decide to come back to Fedi. I'm going back to painting the house for a week until people get over the fact that and @Humpleupagus were always dming dick pics to each other
(DIR) Post #AW23LX5ai2BKM2la4G by Sui@decayable.ink
2023-05-26T01:56:56.203515Z
1 likes, 0 repeats
It was a modpack, he's trying to save face.
(DIR) Post #AW23M2Ad9LdGkeMXj6 by Owl@nicecrew.digital
2023-05-26T01:57:01.799402Z
0 likes, 0 repeats
Love you, Dan. Youāre a real card.
(DIR) Post #AW23Pfvtlq8KwPCy8m by Owl@nicecrew.digital
2023-05-26T01:57:41.287609Z
6 likes, 1 repeats
State actor working under the guise of some drama-adjacent click. @Saber was fucking right. Theyāre feds. This level of sophistication warrants that accusation.
(DIR) Post #AW23QomoL63EgmVDKi by internetfreak@poa.st
2023-05-26T01:57:52.113603Z
1 likes, 0 repeats
@graf This required some sophisticated shit to make happen. Unlike Gab that regularly gets breached by basic bitch methods. No explanation or responsiblity taken. Thanks for a clear explanation on the matter, it's my intention to continue poast as I do.
(DIR) Post #AW23SgJOolRwz9dMau by RupertvonRipp@poa.st
2023-05-26T01:58:12.080389Z
9 likes, 1 repeats
@Owl @DK_Dharmaraj @Saber @graf Hope they enjoy our delightful poasts. Eat shit glowies.
(DIR) Post #AW23VqOpliFz8lgTHE by Dan_Hulson@poa.st
2023-05-26T01:58:46.563104Z
2 likes, 0 repeats
@Owl @Humpleupagus @DK_Dharmaraj @Eiswald @graf Thanks, mate, I hope you were doing ok while I was away and I will see you real soon
(DIR) Post #AW23X90W4Rvx8nvh7Q by ThymeandPlace@poa.st
2023-05-26T01:59:00.985534Z
2 likes, 0 repeats
@graf Been here for a while and always appreciated your honesty and humility. This is my home bro. Thanks for the update brother graf.
(DIR) Post #AW23bR4yozYaLg410S by Owl@nicecrew.digital
2023-05-26T01:59:48.850913Z
8 likes, 0 repeats
Glowniggers burn in Hell.
(DIR) Post #AW23coJnu8v6iGeYPg by EdBoatConnoisseur@poa.st
2023-05-26T02:00:01.549949Z
7 likes, 1 repeats
@graf to expand on the concern it is of note that bae.st was also attacked, it begs the question why, as if this was just someone who had beef with graf why did he also attack baest, i can see some reasons ranging from the simple reason of sjw being a friend of graf to also attacking baest as distraction or as a way of putting pressure on both sjw and graf for whatever reason, think of it as a warning shot, like saying āthis happened, now comply with X or we will do worse than just leaking your DMsā
(DIR) Post #AW23ePkqCgN56n42ng by Eiswald@poa.st
2023-05-26T02:00:19.687558Z
10 likes, 0 repeats
@EdBoatConnoisseur @DK_Dharmaraj @graf >i would put my bucks on the actual attacker having been a fediverse admin who has beef to pick with graf and friendsAlso very possible.
(DIR) Post #AW23enXBn5iArOrTqy by Boomerman@poa.st
2023-05-26T02:00:23.985723Z
8 likes, 1 repeats
@graf So this theoretically isnt just poast but the entire fediverse thats vulnerable?
(DIR) Post #AW23f7HcMh8i6tjKMK by colonelj@freespeechextremist.com
2023-05-26T02:00:28.956467Z
1 likes, 0 repeats
@graf hacked by nostr? with the bridge Gleason made?
(DIR) Post #AW23fsZeXSUamRWtUm by graf@poa.st
2023-05-26T02:00:32.611584Z
10 likes, 3 repeats
@Boomerman correct
(DIR) Post #AW23kKWgYU74dAGQBk by Owl@nicecrew.digital
2023-05-26T02:01:25.269910Z
14 likes, 0 repeats
āHey, letās just piss off like 7,000 autistic people with a widely varying set of skills, that should go over well.āHope it was worth it. Chudbuds wasnāt like how Poa.st is.
(DIR) Post #AW23l06ZxwBbaMNAKO by APPTeOORuzvlGOetVY.verita84@poster.place
2023-05-26T02:01:32.466369Z
1 likes, 0 repeats
@ThymeandPlace @graf Good work Graf!
(DIR) Post #AW23y6LY4UdWhvcaOW by FallschirmYeager@poa.st
2023-05-26T02:03:53.085356Z
2 likes, 0 repeats
@graf seething trannies and glowniggers really donāt want us to talk about Far-Right politics with anime characteristics huh.
(DIR) Post #AW240X09wKFTxJm8WG by EdBoatConnoisseur@poa.st
2023-05-26T02:03:39.341504Z
4 likes, 0 repeats
@Eiswald @DK_Dharmaraj @graf there are at least 3 faggots i think would be petty enough to pull shit like that.
(DIR) Post #AW242Hw0vehNo1frgu by Deadjuice97@poa.st
2023-05-26T02:04:37.752358Z
1 likes, 0 repeats
@graf this smells like white hat job all the way, too clean, really well cooked and very sophisticated, this shit wasn't Ralph's bidding.
(DIR) Post #AW246oUloMs5wu5Zjs by 1nter4ri@poa.st
2023-05-26T02:05:27.845590Z
5 likes, 0 repeats
@Dan_Hulson @Eiswald @DK_Dharmaraj @graf @Humpleupagus Dan we need to have talk ,lš¤
(DIR) Post #AW24ElQZ6LRKkcug88 by Dan_Hulson@poa.st
2023-05-26T02:06:53.875644Z
7 likes, 0 repeats
@1nter4ri @Eiswald @DK_Dharmaraj @graf @Humpleupagus This week just keeps getting worse for me š
(DIR) Post #AW24KGfwLjM373jGwC by billy_hughes@poa.st
2023-05-26T02:07:53.404441Z
1 likes, 0 repeats
@Dan_Hulson @1nter4ri @Eiswald @DK_Dharmaraj @graf @Humpleupagus there there Dan
(DIR) Post #AW24Ww7276SZ6PRUeW by Dan_Hulson@poa.st
2023-05-26T02:10:10.978576Z
7 likes, 0 repeats
@billy_hughes @1nter4ri @Eiswald @DK_Dharmaraj @graf Worst about it was @Humpleupagus said I should use zoom on my camera cuz it looked small but I was already using a 100x zoom
(DIR) Post #AW252wqguXq8eY3yGe by billy_hughes@poa.st
2023-05-26T02:15:56.523869Z
1 likes, 0 repeats
@Dan_Hulson @1nter4ri @Eiswald @DK_Dharmaraj @graf @Humpleupagus Small for an Elephant š
(DIR) Post #AW259605nYkAm2OMJk by Dan_Hulson@poa.st
2023-05-26T02:17:02.779227Z
2 likes, 0 repeats
@billy_hughes @1nter4ri @Eiswald @DK_Dharmaraj @graf @Humpleupagus I think 3 inches is a very respectable size I will have you know
(DIR) Post #AW259P8aeBpY7tVuhU by TheWanax@poa.st
2023-05-26T01:54:59.040564Z
1 likes, 0 repeats
@graf Thank you. I defecated myself when I thought they could gain root on my computer or run a shell.
(DIR) Post #AW25GLrpClVq0hz6uG by like50bears@shitposter.club
2023-05-26T02:18:24.733303Z
2 likes, 0 repeats
@graf Thanks for the writeup. Can you explain how the (obfusticated) js was run? I get that CSP won't prevent it, but how does a piece of user uploaded content get executed to begin with?
(DIR) Post #AW25SOaGvgKHuaW8ky by bajax@bajax.us
2023-05-26T02:20:29.378720Z
5 likes, 0 repeats
@Eiswald @DK_Dharmaraj @graf are you fucking kidding me? This shit's got script-kiddie written all over it. The truth is that fedi software isn't that well written and this vulnerability was a HUGE oversight that should have been obvious to anyone with half a brain years ago. I suspect they even knew this when they were implementing media proxy this way from the beginning, but resolved to fix it later-- and then never did.
(DIR) Post #AW25ajRzETtIwbcK7U by hakui@tuusin.misono-ya.info
2023-05-26T02:22:04.786040Z
5 likes, 0 repeats
@graf thanks for helping me reaffirm my stance to never run a public instance ever i guess
(DIR) Post #AW25dxdwv6IRpckhX6 by animeirl@shitposter.club
2023-05-26T02:22:40.373404Z
3 likes, 0 repeats
@graf Huh? Are you saying soapbox executes attachments?
(DIR) Post #AW25feb4hlO1L7DO88 by TheMadPirate@detroitriotcity.com
2023-05-26T02:22:58.525176Z
0 likes, 0 repeats
@graf Sounds like something a Fed would do.
(DIR) Post #AW25fiarqTb5jd9HMW by graf@poa.st
2023-05-26T02:22:55.535474Z
13 likes, 0 repeats
@like50bears I'm still working on that and will have more details to share later
(DIR) Post #AW25fpMafxKujNWTa4 by JustJohnny@poa.st
2023-05-26T02:22:59.471920Z
2 likes, 0 repeats
@graf @Forgetful_Gynn There should probably be a feature to clear/delete your chats.
(DIR) Post #AW25mklw8zW0WDgH9E by bitcoin@poa.st
2023-05-26T02:24:14.602010Z
0 likes, 0 repeats
@graf No need to apologize brother. Thanks for addressing and fixing.
(DIR) Post #AW25oVDIxfZwqNJeng by InceptionState@poa.st
2023-05-26T02:24:33.353669Z
2 likes, 0 repeats
@like50bears @graf That was my question as well, how do they get the admin to actually run it? Looks like a fairly typical stored XSS attack, the nostr bridge bit is interesting but really they could have picked any exfil method.
(DIR) Post #AW25qG7O3abwbaNyD2 by coolboymew@shitposter.club
2023-05-26T02:24:52.662519Z
4 likes, 0 repeats
@graf CC: @Moon you probably saw it already
(DIR) Post #AW266RYLJJ8chdi9ya by deVoid@mugicha.club
2023-05-26T02:27:49.234393Z
4 likes, 0 repeats
It was never visible to mods, if it were i'd be flaming more users openly for posting cringe back then
(DIR) Post #AW26UxhnQ5rDN7pAjw by Nike@pleroma.nobodyhasthe.biz
2023-05-26T02:32:14.675020Z
1 likes, 0 repeats
@graf Thank you for your diligence and all your contributions.
(DIR) Post #AW26ba3xijCe4bLfDE by TheWanax@poa.st
2023-05-26T02:32:04.476029Z
6 likes, 0 repeats
@EdBoatConnoisseur @Eiswald @DK_Dharmaraj @graf Yeah, it doesn't have to be a state-actor. The more I thought about it: What would the feds or mossad gain by stealing DMs from here and dumping them on /cow/ and the Killstream? They wouldn't tip their hand like that. This feels more childish.The way of planting the code was really savvy, but there are hackers outside the NSA. Whoever it was, you know they are reading this thread.
(DIR) Post #AW26bamH3yeGI253HU by EdBoatConnoisseur@poa.st
2023-05-26T02:33:25.235691Z
1 likes, 0 repeats
@TheWanax @Eiswald @DK_Dharmaraj @graf which is why iām not elaborating as much as i could, just the obvious.
(DIR) Post #AW26kYk20FDga5J6ye by MechaSilvio@poa.st
2023-05-26T02:35:02.589544Z
8 likes, 0 repeats
@synapsid @graf @Forgetful_Gynn A 24/72 hour DM deletion option would be a cool feature to add (maybe a pain to code/host)That way all DMs are temporary but people can still use them tho exchange a Session key / Matrix / XMPP contact and initiate chat off site.A good way to offload message hell from the admins too
(DIR) Post #AW26n1MEa05tuaLlcu by SpaceElf@leafposter.club
2023-05-26T02:35:30.815857Z
1 likes, 0 repeats
@parker @parker I don't know if this is relevant to the instance, but I saw this and figured I might ping you to save some potential effort, just in case.
(DIR) Post #AW26pVGCNClpESi7bE by kirby@freespeechextremist.com
2023-05-26T02:35:58.489090Z
1 likes, 0 repeats
@graf NEW PLEROMA SECURITY BUG BOYS
(DIR) Post #AW26rCRrHpUDT1yPqq by kirby@freespeechextremist.com
2023-05-26T02:36:16.885444Z
2 likes, 0 repeats
@graf cc @p calling 4 teh pleroma fe users
(DIR) Post #AW26u0Fp53FMW5gGFU by MechaSilvio@poa.st
2023-05-26T02:36:45.127907Z
3 likes, 0 repeats
@Bellerophon @graf Niggers
(DIR) Post #AW26yivkuuI4EhXs9I by Constantine2nd@poa.st
2023-05-26T02:37:34.444315Z
3 likes, 0 repeats
@graf This is just going to make the fediverse at large stronger in time. Thanks for being transparent about it, graf. Letās kick their ass.
(DIR) Post #AW26z9GD1U6FtfJZdg by Humpleupagus@eveningzoo.club
2023-05-26T02:37:41.927029Z
4 likes, 1 repeats
It was just small talk. š
(DIR) Post #AW271yiGh7Wi3MmxAe by kirby@freespeechextremist.com
2023-05-26T02:38:13.758388Z
2 likes, 0 repeats
@graf @p cc @meso the asbestos is in danger :marseyglow:
(DIR) Post #AW2740sDdILxKiPgAq by ApocalyptoLatte1488@nicecrew.digital
2023-05-26T02:38:35.616571Z
0 likes, 0 repeats
(DIR) Post #AW274E6WRQWEMqCmm0 by kirby@freespeechextremist.com
2023-05-26T02:38:38.142955Z
1 likes, 0 repeats
@graf @meso @p oh yeah and @dushman@asbeatos.cafe kind of an emergency here
(DIR) Post #AW276R0ZR4A2y3TT16 by kirby@freespeechextremist.com
2023-05-26T02:39:02.084775Z
1 likes, 0 repeats
@graf @meso @p cc @dushman
(DIR) Post #AW276j58EqVN1PkMcq by Jean_Philippe_Micheaux@poa.st
2023-05-26T02:39:03.708236Z
4 likes, 0 repeats
@Dan_Hulson @1nter4ri @Eiswald @DK_Dharmaraj @graf @Humpleupagus Dan never sent me a dick pick now the whole world knows he like humps more then me now . :alexjonescrying:
(DIR) Post #AW27Bg8yaazhMEuGjw by ApocalyptoLatte1488@nicecrew.digital
2023-05-26T02:39:58.716539Z
5 likes, 0 repeats
(DIR) Post #AW27Bh5T57mYHeGyuW by Dan_Hulson@poa.st
2023-05-26T02:39:56.800225Z
4 likes, 0 repeats
@Humpleupagus @DK_Dharmaraj @Eiswald @graf Please don't mention the word "small" when talking about my dic pics
(DIR) Post #AW27E0iP4mtXjoaax6 by Omega_Variant@nicecrew.digital
2023-05-26T02:40:23.996601Z
2 likes, 1 repeats
"Lol we kicked a bees nest. Seethe"mmmmmm no. No I am pretty sure you just kicked a nest of murder hornets. Gl with all that.
(DIR) Post #AW27EvaZcZV482MeA4 by ApocalyptoLatte1488@nicecrew.digital
2023-05-26T02:40:33.957746Z
2 likes, 0 repeats
(DIR) Post #AW27HogRkdYZa5UMfQ by Owl@nicecrew.digital
2023-05-26T02:41:05.272192Z
1 likes, 0 repeats
If only it were bees.
(DIR) Post #AW27I8cDe43hOlfGr2 by MechaSilvio@poa.st
2023-05-26T02:41:05.707896Z
3 likes, 0 repeats
@EdBoatConnoisseur @graf What Graf describes is not too crazy but also it's a bug that could have sneaked onto anyone. That's how attacks work, people try shit until they find some vulnerability.
(DIR) Post #AW27IgwG24I1qlIkoC by TheWanax@poa.st
2023-05-26T02:40:41.655756Z
1 likes, 0 repeats
@justnormalkorean @Owl @EdBoatConnoisseur @graf From day 1, they littered everywhere with their demands to join. It was like a cult. Very little bothers me here, but that was total spam.
(DIR) Post #AW27IyqXS4PVOElROS by Sui@decayable.ink
2023-05-26T02:41:17.860795Z
1 likes, 0 repeats
... Tiny/trivial talk?
(DIR) Post #AW27K2Opj7SshQJFNA by Dan_Hulson@poa.st
2023-05-26T02:41:27.860253Z
1 likes, 0 repeats
@Jean_Philippe_Micheaux @1nter4ri @Eiswald @DK_Dharmaraj @graf @Humpleupagus Hump's told me if I wanted to be an Admin on the Zoo it was just necessary part of it to share dick pics
(DIR) Post #AW27KyB0uesBtMI1su by greenpx@poa.st
2023-05-26T02:41:37.430204Z
1 likes, 0 repeats
@Bellerophon @graf Dms and emails, tho i saw someone saying just dms.
(DIR) Post #AW27MdP57MKK2ofDc0 by Tony@clew.lol
2023-05-26T02:41:57.479637Z
1 likes, 0 repeats
Hey man, it's how you use it. #respect
(DIR) Post #AW27ORxgd4YX8ZiR6G by Omega_Variant@nicecrew.digital
2023-05-26T02:42:17.177630Z
0 likes, 0 repeats
I have said it from the start. N-ostr glows.
(DIR) Post #AW27PEeZavNk9U9Mbw by Jean_Philippe_Micheaux@poa.st
2023-05-26T02:42:23.481336Z
1 likes, 1 repeats
@Dan_Hulson @1nter4ri @Eiswald @DK_Dharmaraj @graf @Humpleupagus Oh ya sorry Dan now itās public me and Xuya were DMing each other about how much we hate you. Lol
(DIR) Post #AW27PMuosP8BmBoS2q by NotoriousDOG@eveningzoo.club
2023-05-26T02:42:27.111054Z
1 likes, 0 repeats
Thatās how he gets you š
(DIR) Post #AW27PUul8VpuaJqW3s by KennyWhitePowers@nicecrew.digital
2023-05-26T02:42:28.579270Z
1 likes, 0 repeats
Still got it sucked...š
(DIR) Post #AW27Pk4WmTYxaxX1s0 by koropokkur@nicecrew.digital
2023-05-26T02:42:31.242470Z
1 likes, 0 repeats
(DIR) Post #AW27RZ44g1LK2HBlLs by Jean_Philippe_Micheaux@poa.st
2023-05-26T02:42:48.773965Z
2 likes, 0 repeats
@NotoriousDOG @Dan_Hulson @Humpleupagus @1nter4ri @DK_Dharmaraj @Eiswald @graf Were you cyberbullied too?
(DIR) Post #AW27SzbnTMbceLdw8G by EdBoatConnoisseur@poa.st
2023-05-26T02:43:04.708829Z
3 likes, 0 repeats
@MechaSilvio @graf my point stands tho, this wasnāt a rando nor a fed, this was someone with a personal motive and the previous knowledge to pull the attack.
(DIR) Post #AW27TLrUjgEbfP9mee by ApocalyptoLatte1488@nicecrew.digital
2023-05-26T02:43:09.748770Z
0 likes, 0 repeats
š
(DIR) Post #AW27VijQg27zAxVuzY by Sui@decayable.ink
2023-05-26T02:43:35.890632Z
1 likes, 0 repeats
... Without consent?
(DIR) Post #AW27WGgQRhvYTUN01w by Dan_Hulson@poa.st
2023-05-26T02:43:38.842881Z
1 likes, 0 repeats
@NotoriousDOG @Humpleupagus @1nter4ri @DK_Dharmaraj @Eiswald @Jean_Philippe_Micheaux @graf He promised me a Fursuit too and he never got me one š©
(DIR) Post #AW27WkSHkqRSoJz89g by justnormalkorean@poa.st
2023-05-26T02:43:44.985331Z
1 likes, 0 repeats
@EdBoatConnoisseur @MechaSilvio @graf I say it was a fed with knowledge and motive.
(DIR) Post #AW27YESTgnGE9YmaEC by Tony@clew.lol
2023-05-26T02:44:03.235206Z
2 likes, 0 repeats
............3" is average
(DIR) Post #AW27bRgAzTSc1fiphw by Jean_Philippe_Micheaux@poa.st
2023-05-26T02:44:36.733113Z
2 likes, 0 repeats
@Dan_Hulson @NotoriousDOG @Humpleupagus @1nter4ri @DK_Dharmaraj @Eiswald @graf Oh he told me was just gonna pour glue on you and toss dog hair from a groomer friend of his and and call you fluffy.
(DIR) Post #AW27hz9bRgdvaDbYIq by MechaSilvio@poa.st
2023-05-26T02:45:46.502026Z
2 likes, 0 repeats
@EdBoatConnoisseur @graf Definitely not a rando. But doesn't have to be some Fedi admin. This kind of stuff is what good pentesters try when auditing software companies and what hackers without a personal grudge do to sites
(DIR) Post #AW27jEZTbs5jglInp2 by CompoundFraxure@poa.st
2023-05-26T02:46:00.521375Z
4 likes, 1 repeats
@graf We need something like a Fediverse security wiki for admins. With so many attack vectors run by people who largely don't know advanced computer security, and since not every vulnerability/best practice can simply be patched in the code, it would certainly be helpful for admins of both large and small instances.
(DIR) Post #AW27kKvTT65lgg7KYC by TeaTootler@poa.st
2023-05-26T02:46:12.866230Z
2 likes, 0 repeats
@Owl @Omega_Variant @Boomerman @graf its not hip to fuck with bees
(DIR) Post #AW27nRoOK86TubHto0 by Sui@decayable.ink
2023-05-26T02:46:47.740874Z
0 likes, 0 repeats
... In china.
(DIR) Post #AW27rigPXSB7Oaaleq by parker@pl.psion.co
2023-05-26T02:47:33.773124Z
5 likes, 0 repeats
@SpaceElf @parker @graf I checked, we don't have the offending JavaScript on file,, so we're good. I will also update the CSP so as to block execution of scripts from the media directory.
(DIR) Post #AW27szZkDamo4n53jc by Jean_Philippe_Micheaux@poa.st
2023-05-26T02:47:46.873467Z
1 likes, 0 repeats
@justnormalkorean @EdBoatConnoisseur @MechaSilvio @graf I mean itās not a zero percent thing. But feds go after easier targets. Heāll just saying nigger and talking about anime 24/7 is enough of a filter.
(DIR) Post #AW283yYYLdTI6IlDvM by kirby@freespeechextremist.com
2023-05-26T02:49:47.724208Z
0 likes, 0 repeats
@graf cc @nekofag gl
(DIR) Post #AW2877tC6Yqdumuxfc by Tadano@amala.schwartzwelt.xyz
2023-05-26T02:50:15.724542Z
0 likes, 0 repeats
@parker How do you change the CSP again? It sounds considerably easier than mucking with subdomains
(DIR) Post #AW287rOGvrRh2CnurI by nekofag@rdrama.cc
2023-05-26T02:50:27.859203Z
2 likes, 1 repeats
@kirby @graf graf hard blocks my instance so i never saw it
(DIR) Post #AW28Bu8gef7QiYRVui by Jean_Philippe_Micheaux@poa.st
2023-05-26T02:51:10.956125Z
5 likes, 0 repeats
@TheWanax @EdBoatConnoisseur @Eiswald @DK_Dharmaraj @graf If the alphabet people wanted something they donāt have to go through this level of sneak they can just take it. Like you said plenty of autistic computer people in the world.
(DIR) Post #AW28CEg2INg8PmCQfg by kirby@freespeechextremist.com
2023-05-26T02:51:17.289856Z
0 likes, 0 repeats
@nekofag @graf hey friends, on may 19, 2023 an unknown user registered the domain name fedirelay.xyz and setup a fake mostr (nostr) relay to listen for requests on the fediverse.on may 20, 2023 at 20:52 (utc) a user uploaded the attached document to poast. it was originally an obfuscated javascript file (unobfuscated and attached it here, renamed to .txt so you can view it in any editor).what this javascript file does is take the viewers oauth token, encode it to make it look like a nostr pubkey and then forced the clandestine mostr relay to look up that user locally giving that server the encoded token all while appearing to be a legitimate mostr (nostr) bridge i have taken steps to completely limit access to the admin api and corrected any CSP or other issues that could possibly have contributed to this, however most of you are still vulnerable to it. the default pleroma install serves media files on your root domain as a local folder (i.e. yourdomain.xyz/media) and the default CSP for any site is to allow executing scripts via the root domain. in order to prevent this you should take steps to either move your media from yourdomain.xyz/media to media.yourdomain.xyz (or any subdomain outside of your root domain) or perhaps by limiting the CSP for that subdirectory via nginx configuration.if you are an instance owner, the obfuscated file hash is `b2977f2d97f598d2ebd6dcf37afd9047b5da2b6dc95a7b2824fb111c906fb117` so you can search yourdomain.xyz/media/b2977f2d97f598d2ebd6dcf37afd9047b5da2b6dc95a7b2824fb111c906fb117.js and see if you have it on your server. sorry to anybody i let down but i could never have foreseen this level of sophistication and i would not have ever expected it. now that we are aware of it, we will be more diligent in the future. thanks for being here with us still friendshttps://poa.st/objects/23a2d8aa-c72d-488d-b9dd-21d3f3b05521
(DIR) Post #AW28SdiKyYnqhQ67xA by parker@pl.psion.co
2023-05-26T02:54:14.236080Z
1 likes, 0 repeats
@Tadano @graf I am not sure yet.
(DIR) Post #AW28X2i5yzozNj5Hyi by SpaceElf@leafposter.club
2023-05-26T02:55:02.478800Z
3 likes, 0 repeats
@parker @parker @graf Have some critters for your diligent work
(DIR) Post #AW28a1wLIq8prUAmMy by TheWanax@poa.st
2023-05-26T02:55:05.424377Z
3 likes, 0 repeats
@Jean_Philippe_Micheaux @EdBoatConnoisseur @Eiswald @DK_Dharmaraj @graf Yeah.The thing I keep coming back to is the feds wouldn't leak it to a lolcow forum. That gains them nothing. I know Biden has a lot of diversity hires, but even they aren't that dumb to blow their op. They'd collect data for months undetected.
(DIR) Post #AW28a2XD5ldFhpQDpo by graf@poa.st
2023-05-26T02:55:30.421453Z
16 likes, 2 repeats
@TheWanax @Jean_Philippe_Micheaux @EdBoatConnoisseur @Eiswald @DK_Dharmaraj feds frequently launder dox and shit like this on forums what are you talking about
(DIR) Post #AW28bXLO1sQvY5baoi by kirby@freespeechextremist.com
2023-05-26T02:55:51.645608Z
1 likes, 0 repeats
@graf cc @frailleaf good luck friend
(DIR) Post #AW28pThaMnZ2J8dWN6 by fishsticks@poa.st
2023-05-26T02:58:20.981866Z
0 likes, 0 repeats
@TheWanax @EdBoatConnoisseur @Eiswald @DK_Dharmaraj @graf >They wouldn't tip their hand like thatAre you joking?
(DIR) Post #AW28pr0rhHeUbapk7E by MechaSilvio@poa.st
2023-05-26T02:58:24.907989Z
12 likes, 0 repeats
@graf @TheWanax @Jean_Philippe_Micheaux @EdBoatConnoisseur @Eiswald @DK_Dharmaraj Like Marty's book says "you don't have to be on the payroll to be a fed"
(DIR) Post #AW291TOrJcekqVb4TY by TheWanax@poa.st
2023-05-26T03:00:30.820207Z
0 likes, 0 repeats
@fishsticks @EdBoatConnoisseur @Eiswald @DK_Dharmaraj @graf I didn't say that. My point was it happened after only 1 week. Seems like a fast turn around.
(DIR) Post #AW291vEBqsl99WowjY by marlin@poa.st
2023-05-26T02:56:09.783174Z
3 likes, 0 repeats
@greenpx @Bellerophon It seems to be DMs and emails from the beginning (January 2021).
(DIR) Post #AW29cOBBginvMxnySW by parker@pl.psion.co
2023-05-26T03:07:12.637002Z
1 likes, 0 repeats
@SpaceElf @parker @graf They're very cute, thank you
(DIR) Post #AW29sM5PEqQ7ViiKtU by r@freesoftwareextremist.com
2023-05-26T03:09:59.361360Z
0 likes, 0 repeats
@hakui I don't get it. Just uploading a file doesn't mean you can execute it on someone's browser. Unless there's an exploit in the frontend that cases it.@hj Do you have any idea about this?
(DIR) Post #AW2A3YbJ3AIfVcyby4 by ShariVegas@pleroma.nobodyhasthe.biz
2023-05-26T03:12:06.634891Z
1 likes, 0 repeats
@parker @SpaceElf @parker @graf I think for our installations, we can simply drop the access-control-allow-origins and access-control-allow-credentials headers?Iāve addedproxy_hide_header 'access-control-allow-credentials'; proxy_hide_header 'access-control-allow-origin';to the location block for /media. I think thatāll work just fine?
(DIR) Post #AW2AAaskxxK2c0UhhQ by Shadowbroker2135@poa.st
2023-05-26T03:13:21.669259Z
3 likes, 1 repeats
@Owl @RupertvonRipp @Saber @DK_Dharmaraj @graf Glowniggers die, God laughs
(DIR) Post #AW2ANuCSSEHYI13aRk by Shadowbroker2135@poa.st
2023-05-26T03:15:46.162851Z
1 likes, 0 repeats
@Eiswald @DK_Dharmaraj @graf There's so many retards that seethe and shit their pants over Poast, could be anyone, but I wouldn't be surprised if it was state actor.
(DIR) Post #AW2AOU0fJYEvLrog40 by ggf@poa.st
2023-05-26T03:15:52.382416Z
4 likes, 0 repeats
@DK_Dharmaraj @graf Two reasons why this was not a state actor.1. One of the first things anybody does to test a site out is throw some javascript at it and see what happens. Everybody has their own methods and what they look for which is probably why it wasn't leveraged before.2. The results made its way to Ethan Ralph.The hacker was probably one of the first people who noticed a CSP flaw, but there could of been others. Graf has probably already checked as part of his post mortem if anybody else tried uploading a .js in the past. While I'd imagine mostly it was benevolent reasons, those people make a good list to ask why they were, the original account of the hacker might even be among one of them.
(DIR) Post #AW2AQBf2VPvN1UVu4W by johnnyappleseed@poa.st
2023-05-26T03:16:11.220956Z
5 likes, 0 repeats
@MechaSilvio @graf @TheWanax @Jean_Philippe_Micheaux @EdBoatConnoisseur @Eiswald @DK_Dharmaraj Yeah, it aināt just moderators of mongolian throat singing forums that do-it-for-free.
(DIR) Post #AW2At7SJDhhkNWM4Ia by hakui@tuusin.misono-ya.info
2023-05-26T03:21:25.545563Z
0 likes, 0 repeats
@r @hj i assumed the script was server-side
(DIR) Post #AW2AzeE8I20bkppxvk by BiggusDiccus@poa.st
2023-05-26T03:21:15.477645Z
2 likes, 0 repeats
@grafWe should probably be thankful that this vulnerability was exposed with such little damage. Great work Graf! Is your current solution a full fix for this or is it a bandaid while the issue gets investigated further?@Boomerman
(DIR) Post #AW2AzesBt63Fl4ZxMu by graf@poa.st
2023-05-26T03:22:33.667623Z
13 likes, 4 repeats
@BiggusDiccus @Boomerman its a temporary fix. the solution is to prevent uploading javascript and other shit in the first place. there's no reason people need to be sharing javascript on a social media site
(DIR) Post #AW2BdbQs6CzMfdqcBE by parker@pl.psion.co
2023-05-26T03:29:50.146976Z
1 likes, 0 repeats
@ShariVegas @SpaceElf @parker @graf Thanks I'll try that in a bit then. Otherwise I was thinking of something like deny all for js files in the uploads directory.
(DIR) Post #AW2BeRxcng5NaHZVS4 by graf@poa.st
2023-05-26T03:29:54.937511Z
8 likes, 1 repeats
@officialfoxdickfarms @DK_Dharmaraj @EdBoatConnoisseur @Eiswald @Jean_Philippe_Micheaux @TheWanax sure let me fix it for you
(DIR) Post #AW2BjsC6gxJcOUvofo by wishgranter14@poa.st
2023-05-26T03:30:55.963019Z
0 likes, 0 repeats
@AnimeTradCath @graf Yea, I need a geek to English translation. I sort of get that it "stole" the oauth token to trick something into doing something, but not really sure what? I normally use pl.poa.st, but just today it's giving me all these 403 errors. Not sure if related or not.
(DIR) Post #AW2BkRnYJj44oliiOm by ShariVegas@pleroma.nobodyhasthe.biz
2023-05-26T03:30:58.334561Z
0 likes, 0 repeats
@parker @SpaceElf @parker @graf I think we should do both. I'm trying to figure out how to do that now.
(DIR) Post #AW2BxY8u2YcSG7xEPY by r@freesoftwareextremist.com
2023-05-26T03:33:20.357302Z
0 likes, 0 repeats
@hakui @hj But that doesn't mean that it'd get included in the index.html with a <script> tag. And the post content is also sanitized by the backend to only include a specific set of tags. By that logic every file upload site is vulnerable unless they work under two domains.
(DIR) Post #AW2CI2Be2vQNEP0M0O by parker@pl.psion.co
2023-05-26T03:37:07.573897Z
0 likes, 0 repeats
@ShariVegas @SpaceElf @parker @graf I'm pretty sure this is wronglocation ~* /media/.*\.js$ { deny all;}
(DIR) Post #AW2CPYrwvs9YcYNids by fatepony@poa.st
2023-05-26T03:38:27.255471Z
1 likes, 0 repeats
@graf Okay, that actually is very sophisticated. Surprised that not only can uploaded files be ran when viewed by users, but that other fedi instances can be malicious while still being accepted and functional for all the protocols involved. Hopefully the fix to this leads to better security across fedi.Thanks for the hard work Graf!
(DIR) Post #AW2CbDXk30aBxFUI1Q by EdBoatConnoisseur@poa.st
2023-05-26T03:40:34.858947Z
5 likes, 0 repeats
@wishgranter14 @AnimeTradCath @graf there
(DIR) Post #AW2CfXKYQ9H6TxNXfs by ShariVegas@pleroma.nobodyhasthe.biz
2023-05-26T03:41:14.049823Z
2 likes, 1 repeats
@parker @SpaceElf @parker @graf actually maybe not, this is working for me: location ~* /(media|proxy)/.*\.(js|mjs)$ { deny all; }
(DIR) Post #AW2Cmh8ANlBOu6zv0a by parker@pl.psion.co
2023-05-26T03:42:41.066359Z
0 likes, 0 repeats
@ShariVegas @SpaceElf @parker @graf Groovy, I'll try that then.
(DIR) Post #AW2D7NwUv1BXTSPDRg by gabriel@mk.gabe.rocks
2023-05-26T03:46:24.268Z
0 likes, 0 repeats
Thanks for the detailed update @graf@poa.st š«
(DIR) Post #AW2DEkzTco6qz2JY2K by gabriel@mk.gabe.rocks
2023-05-26T03:47:45.232Z
0 likes, 0 repeats
Thanks for the detailed update @graf@poa.st š«
(DIR) Post #AW2DFDMU8r9QyVIJmq by Library@poa.st
2023-05-26T03:46:50.212077Z
1 likes, 0 repeats
@EdBoatConnoisseur @graf We all know the real question here.Why would the jews do this?
(DIR) Post #AW2DV42GaG3kgSOYFM by wishgranter14@poa.st
2023-05-26T03:50:40.605442Z
1 likes, 1 repeats
@EdBoatConnoisseur @AnimeTradCath @graf ok, now i get it. thanks. i guess it has nothing to do with the 403's then.
(DIR) Post #AW2DXllkxCfwttxjpw by graf@poa.st
2023-05-26T03:51:06.297364Z
1 likes, 0 repeats
@wishgranter14 @EdBoatConnoisseur @AnimeTradCath 403s? can you give me a console screenshot?
(DIR) Post #AW2Dl19D5aGCMOFYsS by coin@asimon.org
2023-05-26T03:53:34.322588Z
0 likes, 0 repeats
@parker @SpaceElf @parker @ShariVegas @graf Is that added to the nginx file?
(DIR) Post #AW2DsMJYmztO2FakgC by wishgranter14@poa.st
2023-05-26T03:54:53.485607Z
0 likes, 0 repeats
@graf @AnimeTradCath @EdBoatConnoisseur now it's giving me a 401. I logged in, and now it seems to be behaving itself again. i'm behind a VPN, if that matters.
(DIR) Post #AW2DuLnFhJjAzxQhXM by graf@poa.st
2023-05-26T03:55:13.539027Z
2 likes, 0 repeats
@wishgranter14 @AnimeTradCath @EdBoatConnoisseur yeah come tomorrow you will no longer be able to use pleroma fe, we are no longer supporting it.
(DIR) Post #AW2DuvboXJy84uM4hs by ShariVegas@pleroma.nobodyhasthe.biz
2023-05-26T03:55:13.258618Z
2 likes, 0 repeats
@coin @SpaceElf @parker @parker @graf Yeah, Iāve got mine between my location / and location ~ ^(media|proxy) stanzas
(DIR) Post #AW2E7D83DuvbtGI46i by BowsacNoodle@poa.st
2023-05-26T03:57:34.506430Z
2 likes, 1 repeats
@Dan_Hulson @Jean_Philippe_Micheaux @1nter4ri @Eiswald @DK_Dharmaraj @graf @Humpleupagus š
±ļøenis inspection day
(DIR) Post #AW2ECOWGIk1kfJ5QuW by djsumdog@djsumdog.com
2023-05-26T03:58:31.588077Z
1 likes, 0 repeats
Wait, so the JS execution, was it happening in Pleroma-FE, SoapboxUI or both?
(DIR) Post #AW2EQZgba1aTLvgbZI by hakui@tuusin.misono-ya.info
2023-05-26T04:01:05.224176Z
0 likes, 0 repeats
@r @hj i'm not good with computer so i was just guessing
(DIR) Post #AW2EUlmcXst21sV52e by parker@pl.psion.co
2023-05-26T04:01:51.474863Z
0 likes, 0 repeats
@ShariVegas @coin @SpaceElf @parker @graf Yep, works for me.
(DIR) Post #AW2HCN7pmf0QCjLFEu by coin@asimon.org
2023-05-26T04:32:07.923269Z
0 likes, 0 repeats
@ShariVegas @parker @parker I need to ask for my sanity, does it make it so that you cannot upload .js files?
(DIR) Post #AW2HLdYG55Cfku7S7M by ShariVegas@pleroma.nobodyhasthe.biz
2023-05-26T04:33:44.291557Z
1 likes, 0 repeats
@coin @parker @parker doesn't block uploading them, just blocks downloading them (blocking uploading them would require hacking the frontend)
(DIR) Post #AW2HplqFp3X09euCVk by coin@asimon.org
2023-05-26T04:39:15.822873Z
0 likes, 0 repeats
@ShariVegas Alright, I just did a few uploads of empty .js files, so I am constantly wondering if nginx or the rules are working as intended. Thanks for the, you and parker.
(DIR) Post #AW2J4XYnIrsE9vLT9M by FediJoshJ@sneed.vip
2023-05-26T04:53:03.138362Z
1 likes, 0 repeats
@graf Does this affect my single-user instance too? I need to see if I can figure out the updates, if so.
(DIR) Post #AW2JW87fTNozNGoSum by ademan@thebag.social
2023-05-26T04:58:06.759255Z
0 likes, 0 repeats
Whatās the CSP look like? Iām a retard with webshit but from 5 minutes of googling I came up with:location / {...# add_header Content-Security-Policy "default-src 'self'; img-src *; media-src *; script-src https://thebag.social/packs/ https://thebag.social/sw.js"; always; # XXX nah# According to what I read, adding a second CSP in addition to the default one pleroma serves, instructs the browser to permit the intersection of the two sources, so we only need to restrict script-src and we can let pleroma specify the rest of the defaultsadd_header Content-Security-Policy "script-src https://thebag.social/packs/ https://thebag.social/sw.js"; always;...}This would be for soapbox only, tweak for pleromafe (and obviously change the domain).This is untested and should be vetted by non-retards of course.
(DIR) Post #AW2JtGGRMwtdHjwig4 by graf@poa.st
2023-05-26T05:02:15.107949Z
2 likes, 0 repeats
@FediJoshJ I mean everyone is vulnerable unless they've specifically modified their pleroma config to prevent it which should be standard but isn't I guess. if you don't open registrations you're less vulnerable
(DIR) Post #AW2K7eaTjUw4mCBJke by ademan@thebag.social
2023-05-26T05:04:54.236020Z
0 likes, 0 repeats
if I understand correctly (probably not), the two vectors for this exploit area user on your instance uploads the payloadyour instance uses mediaproxy and serves up the payload on the same domain (default?)
(DIR) Post #AW2KS4la6q3HlF73p2 by redditeur@poa.st
2023-05-26T04:59:47.386034Z
0 likes, 0 repeats
@Owl @Boomerman @graf Chudbuds wasn't directly compromised; Fat Cunt's machine was compromised, and through it, all her credentials (and disgusting nudes) got stolen and that allowed people to fuck with the server. It wasn't a software vulnerability, it was a woman being a woman.
(DIR) Post #AW2KS5PHjDoLkNglhw by Owl@nicecrew.digital
2023-05-26T05:08:36.256466Z
0 likes, 0 repeats
Missing the point.
(DIR) Post #AW2KnOuqOCyEKnc7nc by redditeur@poa.st
2023-05-26T04:53:46.623429Z
2 likes, 0 repeats
@like50bears @graf Browsers run JS more or less with impunity. It's a "feature" of the Web that should have been culled decades ago, when EcmaScript5 became a thing, but >muh advertisement would be broken if they did it.
(DIR) Post #AW2KnPYC1uRiIq1Y8G by like50bears@shitposter.club
2023-05-26T05:12:27.417908Z
0 likes, 0 repeats
@redditeur I know browsers can run js, but generally applications (like all the fedi front ends) have protections from actually running arbitrary user submitted code. If they don't it's a vulnerability.
(DIR) Post #AW2Ko33P9naMovvWhE by Shadowman311@poa.st
2023-05-26T05:12:32.194569Z
13 likes, 2 repeats
@ggf @DK_Dharmaraj @graf The fact that Ralph knew about it immediately is extremely suspicious, but I doubt anyone from his fanbase could pull this off. That being said he is within a few degrees of separation from federal assets like Baked Alaska and almost certainly Fuentes so he could have easily just gotten it through that particular circle.
(DIR) Post #AW2KorI0NmyQch8tOa by ademan@thebag.social
2023-05-26T05:12:42.614670Z
1 likes, 0 repeats
Man, thank you for the writeup, and the forensics, and dealing with the headache.I probably misunderstand several parts of this, but Iām also missing a part, how did the attacker actually run the js? that would require inserting a script tag onto the page wouldnāt it? Surely of all things, pleroma would sanitize that sort of thing robustly, did that fail?
(DIR) Post #AW2KvkNQTw1fD9xkcy by Shadowman311@poa.st
2023-05-26T05:13:55.278257Z
4 likes, 1 repeats
@ggf @DK_Dharmaraj @graf Additionally, as much as I despise the bastard, he did apparently take credit for it, and he does love to brag about evil shit he does so he probably wasn't lying.
(DIR) Post #AW2KziRrarkCO9vlhI by reloadedAK@poa.st
2023-05-26T05:14:35.305944Z
5 likes, 0 repeats
@Shadowman311 @ggf @DK_Dharmaraj @graf Remember he is willing to associate with that fag Zoom to dig dirt on people so I wouldn't be completely sure he didn't have a hand in it
(DIR) Post #AW2L2KZaomBVD2nEEi by marlin@poa.st
2023-05-26T03:04:12.809290Z
1 likes, 0 repeats
@synapsid @graf @Forgetful_Gynn Take a conversation between A and B, A wants to delete the DMs while B wants to keep them. Whose wishes are enacted? Now put A and B on two different instances.Best way is for users to understand the weaknesses and limitations of the tools they are using. I treat DMs like email, if I need them encrypted, I will use GPG.
(DIR) Post #AW2L5jvX0e6ciBgEE4 by Shadowman311@poa.st
2023-05-26T05:15:42.028625Z
2 likes, 0 repeats
@reloadedAK @ggf @DK_Dharmaraj @graf Oh I'm almost certain he does, in fact I'd say he was likely one of the primary catalyst for it, but he had to have some help from someone way smarter and more connected than him.
(DIR) Post #AW2L6Yn7tegaSt8jho by Boomerman@poa.st
2023-05-26T05:15:52.815796Z
5 likes, 2 repeats
@reloadedAK @Shadowman311 @ggf @DK_Dharmaraj @graf I sorta personally suspect this may have been zoom. Its his MO for stuff like this.
(DIR) Post #AW2LCz2pCVjBcpXtQm by Shadowman311@poa.st
2023-05-26T05:17:02.418082Z
1 likes, 0 repeats
@Boomerman @reloadedAK @ggf @DK_Dharmaraj @graf Zoom likes to brag, he can't help it, its a fatal flaw of his. If he did this it won't be long until he says something.
(DIR) Post #AW2LJ7Ob42vtGOee7k by Owl@nicecrew.digital
2023-05-26T05:18:11.634239Z
2 likes, 0 repeats
Zoom was said to be behind Chudbuds, too.
(DIR) Post #AW2LO7vyURpQNgegBk by Shadowman311@poa.st
2023-05-26T05:19:03.446220Z
1 likes, 0 repeats
@Owl @Boomerman @DK_Dharmaraj @ggf @graf @reloadedAK Has he gone to ground after being credibly accused of being a pedophile? I haven't seen nor heard of him in years.
(DIR) Post #AW2LRsq0YkV4ieehjk by Boomerman@poa.st
2023-05-26T05:19:43.572059Z
8 likes, 1 repeats
@Shadowman311 @reloadedAK @ggf @DK_Dharmaraj @graf Theyre all federal assets. Only people even talking about it are twitter retards. No one cares it isnt some big splash. Maybe they doxx a couple of shit poasters. Big whoop.
(DIR) Post #AW2LVXGkh2B6z2uFnc by Boomerman@poa.st
2023-05-26T05:20:24.103569Z
1 likes, 0 repeats
@Shadowman311 @Owl @DK_Dharmaraj @ggf @graf @reloadedAK Hes always around. Id guess he also has helped fucking with kiwifarms too.
(DIR) Post #AW2LWA3IUzaZGbuYk4 by Owl@nicecrew.digital
2023-05-26T05:20:33.034271Z
1 likes, 0 repeats
I canāt say for certain, I donāt keep up with drama circles and what not but the conclusion was that Zoom most definitely had something to do with this. I hate to go to bat for bot but people accusing her are really just working useful misdirection. This was up Zoomās M.O. and people shouldnāt lose sight of that. If itās not Iād be surprised, and Iām sure there are some credible things people are putting together to help get to the bottom of this.
(DIR) Post #AW2LWXl2MXF6mvYJc0 by reloadedAK@poa.st
2023-05-26T05:20:34.200910Z
3 likes, 0 repeats
@Boomerman @Shadowman311 @ggf @DK_Dharmaraj @graf I would hope that those of us that use Poast wouldn't give THAT level of doxx info
(DIR) Post #AW2LY3oUfJrQUrtP3A by Shadowman311@poa.st
2023-05-26T05:20:51.391637Z
1 likes, 0 repeats
@reloadedAK @Boomerman @ggf @DK_Dharmaraj @graf It's happened before
(DIR) Post #AW2LavapgWhJs2s0TA by Boomerman@poa.st
2023-05-26T05:21:21.680531Z
2 likes, 0 repeats
@reloadedAK @Shadowman311 @ggf @DK_Dharmaraj @graf It seems unfortunately some did. Which sucks but like come on man.
(DIR) Post #AW2LcaxlMHEySzOH0i by Owl@nicecrew.digital
2023-05-26T05:21:42.846128Z
1 likes, 0 repeats
You-know-who is definitely smelling blood in the water. The Antifa journalist creep.
(DIR) Post #AW2LhMM564ycbq2MN6 by reloadedAK@poa.st
2023-05-26T05:22:31.846272Z
3 likes, 0 repeats
@Boomerman @Shadowman311 @ggf @DK_Dharmaraj @graf Need to have a weekly repoast of what NOT to reveal on the internet and never have your personal info tied to an online persona
(DIR) Post #AW2LigP62g6z4w4vSK by Boomerman@poa.st
2023-05-26T05:22:46.393389Z
9 likes, 3 repeats
@Shadowman311 @reloadedAK @ggf @DK_Dharmaraj @graf Any website ive ever been on has had DMs leak. Idk why people think DMs on any website are lock tight and secure let alone the fediverse.
(DIR) Post #AW2Lq02RRJkU08yFAu by Dan_Hulson@poa.st
2023-05-26T05:24:05.788356Z
2 likes, 0 repeats
@Owl @Boomerman @DK_Dharmaraj @Shadowman311 @ggf @graf @reloadedAK Look you don't want to get doxxed like I was but it ain't the end of the world so try not let those commie rats scare you too much
(DIR) Post #AW2LvttDDJpwfVT2bQ by Owl@nicecrew.digital
2023-05-26T05:25:09.334995Z
2 likes, 0 repeats
Oh, I was never personally revealing with anything. The most I read was people seething over me being a wishy-washy, double-standarding, obnoxious and spergy cunt, lmao.
(DIR) Post #AW2M0aGHcKbXF2UYpE by Remi@poa.st
2023-05-26T05:25:59.625486Z
4 likes, 2 repeats
@reloadedAK @Boomerman @Shadowman311 @ggf @DK_Dharmaraj @graf Crazy how it was common knowledge just 20 years ago that you should never post identifiable information about yourself online. Now we have retards using their own faces as pfps and posting their locations, political opinions, likes and dislikes, worst fears, work schedules, PIN numbers...
(DIR) Post #AW2M3SggEbU4cSD9gO by Owl@nicecrew.digital
2023-05-26T05:26:34.187954Z
0 likes, 0 repeats
Speaking of circles, letās not forget.
(DIR) Post #AW2M7FcYl0oxFj5gO0 by Zerglingman@freespeechextremist.com
2023-05-26T05:27:15.456652Z
2 likes, 0 repeats
@graf The modern web and its consequences.I need to install bloat already, then just ban all scripts on my site.
(DIR) Post #AW2MEY0ylevOKLzZCa by Dan_Hulson@poa.st
2023-05-26T05:28:32.303449Z
4 likes, 1 repeats
@Owl @Boomerman @DK_Dharmaraj @Shadowman311 @ggf @graf @reloadedAK I'm telling you this is all some op to spread fear and get people to leave Fedi
(DIR) Post #AW2MHtcMu8pQCG4qie by Owl@nicecrew.digital
2023-05-26T05:29:10.505608Z
2 likes, 1 repeats
Itās succeeding. A lot of good names on Poa.st are coming elsewhere on the Fediverse or are outright leaving.
(DIR) Post #AW2MQyL8iWZVRrLXWq by Dan_Hulson@poa.st
2023-05-26T05:30:46.397530Z
4 likes, 0 repeats
@Owl @Boomerman @DK_Dharmaraj @Shadowman311 @ggf @graf @reloadedAK We should spread out but they will go after other instances in the future that are adjacent to Poast imho
(DIR) Post #AW2MWScbYeZ2oU8HxI by Owl@nicecrew.digital
2023-05-26T05:31:48.587506Z
4 likes, 0 repeats
No, youāre right. Honestly, if the dramafags hadnāt been on Poa.st I do wonder if this wouldnāt have happened.
(DIR) Post #AW2Ma2buD1uhIbVrge by Dan_Hulson@poa.st
2023-05-26T05:32:25.058019Z
5 likes, 2 repeats
@Owl @Boomerman @DK_Dharmaraj @Shadowman311 @ggf @graf @reloadedAK TOTAL DRAMA NIGGER DEATH
(DIR) Post #AW2MdKVE8tmhexxPbE by graf@poa.st
2023-05-26T05:32:57.778506Z
5 likes, 0 repeats
@Dan_Hulson @Owl @Boomerman @DK_Dharmaraj @Shadowman311 @ggf @reloadedAK correct
(DIR) Post #AW2MjnAWTYUSIsM2V6 by Owl@nicecrew.digital
2023-05-26T05:34:12.990355Z
4 likes, 0 repeats
They only wanted the drama niggers, the rest of Poa.st just seems to be valuable collateral damage. Unacceptable casualties though. I would vote to send that shit packing, regardless of how Poa.st gets fixed up. Itās a liability.
(DIR) Post #AW2MnQfq3MENh9jj3A by Dan_Hulson@poa.st
2023-05-26T05:34:49.604287Z
2 likes, 1 repeats
@graf @Owl @Boomerman @DK_Dharmaraj @Shadowman311 @ggf @reloadedAK We gave them a home and all they did was shit the place up and bring faggotry
(DIR) Post #AW2N5WWP39M92nx27E by marlin@poa.st
2023-05-26T05:32:34.567029Z
2 likes, 0 repeats
@Remi @reloadedAK @Boomerman @Shadowman311 @ggf @DK_Dharmaraj @graf "Your identity is your most valuable possession, protect it."youtube.com/watch?v=SzY9wLa3XAo
(DIR) Post #AW2NGyU9QDQMxQMGB6 by Dicer@poa.st
2023-05-26T05:40:10.965372Z
1 likes, 0 repeats
@Remi @reloadedAK @Boomerman @Shadowman311 @ggf @DK_Dharmaraj @graf I can't say how much I hate niggers?
(DIR) Post #AW2NI6vBXgdrPXXq2C by Sui@decayable.ink
2023-05-26T05:40:24.973344Z
1 likes, 0 repeats
>They only wanted the drama niggers... Who are the dramaniggers on baest? That bit really doesn't add up.
(DIR) Post #AW2NK1KRJ4xMe2GfmS by Owl@nicecrew.digital
2023-05-26T05:40:45.979366Z
2 likes, 0 repeats
Maybe they just thought to go for the whole pot? Who can say?
(DIR) Post #AW2NRBAB8mZ9AmskQi by Omega_Variant@nicecrew.digital
2023-05-26T05:42:03.577763Z
13 likes, 6 repeats
if ralph was involved it was a vendetta on his part.It will eventually spread. Here is the deal though, if we all flinch and cower away from the threat of a simple dox then there are more women than men here than I originally thought. We (collectively as the fedi) act as if the government can't find us or give us away if we are super sweekwet on the fediverse. Sorry, thats just not true no how matter much anyone thinks it is. They already have your phone records, your texts, your address, probably could pull up your drive history and predict with fairly good accuracy where you will be normally.The question now is, how obstinate are you willing to be? When you are lined up and the gun is to your head will you be the one saying "fuck you pull the trigger" or the one begging and pleading for your life?TBH more of the fedi will be wallowing and pleading if this is the behavior that is exhibited over a flipping DM dox. Its pathetic.
(DIR) Post #AW2NXsMFSNo2sOikMK by buttered_poasties@poa.st
2023-05-26T05:43:14.225162Z
1 likes, 0 repeats
@MechaSilvio @graf @TheWanax @Jean_Philippe_Micheaux @EdBoatConnoisseur @Eiswald @DK_Dharmaraj marty still doing any audio content? his plays the sims stuff was great.
(DIR) Post #AW2NeMevi5bwakYLI0 by Dan_Hulson@poa.st
2023-05-26T05:44:24.245589Z
2 likes, 0 repeats
@Omega_Variant @Owl @Boomerman @DK_Dharmaraj @Shadowman311 @ggf @graf @reloadedAK I just made light of it. I ain't leaving over this petty shit I can assure you and I will stick by Poast and will continue to back Graf
(DIR) Post #AW2Nefwe0S4QPBzG2S by MechaSilvio@poa.st
2023-05-26T05:44:27.951391Z
2 likes, 0 repeats
@buttered_poasties @graf @TheWanax @Jean_Philippe_Micheaux @EdBoatConnoisseur @Eiswald @DK_Dharmaraj I don't think so, but his second book just got out in Antelope Hill
(DIR) Post #AW2NjtT59ewFnKeDwW by Omega_Variant@nicecrew.digital
2023-05-26T05:45:26.541244Z
1 likes, 0 repeats
It wasn't aimed at you my man, I didn't even ready the thread. Just picked a post on my TL and shot from the hip LOL
(DIR) Post #AW2NnbJSb5u6e5umsS by graf@poa.st
2023-05-26T05:46:03.022467Z
8 likes, 2 repeats
@Dan_Hulson @Omega_Variant @Owl @Boomerman @DK_Dharmaraj @Shadowman311 @ggf @reloadedAK me too brother hulson. gf gave me a hug while I was widdling down the source and it gave me the drive I needed to push forward šš»
(DIR) Post #AW2NrS1f4Ifz06QRoe by Owl@nicecrew.digital
2023-05-26T05:46:48.522061Z
4 likes, 0 repeats
Hey. Iām sitting pretty, man. I may be on the outs with graf and his dudes but Iām going to throw my hat in and keep it in any way I can. Poa.st has great people, and Iām not going to encourage them to run either.
(DIR) Post #AW2NuS9D4XESFNO6PA by Dan_Hulson@poa.st
2023-05-26T05:47:18.373650Z
2 likes, 0 repeats
@Omega_Variant @Owl @Boomerman @DK_Dharmaraj @Shadowman311 @ggf @graf @reloadedAK I know you didn't mean me, Brother, but I'm saying we can't run over this shit or we are truly weak
(DIR) Post #AW2NxAbik5rQiS1FAW by Library@poa.st
2023-05-26T05:47:44.651710Z
5 likes, 0 repeats
@Omega_Variant @Owl @Boomerman @DK_Dharmaraj @Dan_Hulson @Shadowman311 @ggf @graf @reloadedAK
(DIR) Post #AW2NxNWAk29Al0WUpE by chainsaw_appreciator@poa.st
2023-05-26T05:47:50.432024Z
4 likes, 1 repeats
@Omega_Variant @Owl @Boomerman @DK_Dharmaraj @Dan_Hulson @Shadowman311 @ggf @graf @reloadedAK >how obstinate are you willing to be?
(DIR) Post #AW2NzWwgf1NmZkx37Q by Owl@nicecrew.digital
2023-05-26T05:48:16.112337Z
4 likes, 1 repeats
Damn right. Fuck that fat pig. Weāre staying and weāll be better than ever.
(DIR) Post #AW2O6IcKKceYAEeih6 by Omega_Variant@nicecrew.digital
2023-05-26T05:49:29.521602Z
4 likes, 0 repeats
those crunched up faces get me every time
(DIR) Post #AW2O7QKL9TrGMimLNQ by Dan_Hulson@poa.st
2023-05-26T05:49:39.417122Z
4 likes, 0 repeats
@graf @Omega_Variant @Owl @Boomerman @DK_Dharmaraj @Shadowman311 @ggf @reloadedAK Brother Graf, you always do the best for us and this isn't on you and thanks for everything you do for us all
(DIR) Post #AW2OOwl9p0ajsNg5x2 by RealAkoSuminoe@poa.st
2023-05-26T05:52:49.337249Z
3 likes, 0 repeats
@Zerglingman @graf This has nothing to do with the "modern" web and attacks like this were EXTREMELY common on the older web. I mean, the old web used to involve sending passwords in plain text over unencrypted connections. Script injections and token leaks happened all the time, and the unfortunate situation of the modern web is that it needs to mitigate all of these issues. The reality is that security in a federated social network is a HARD problem to solve, and I'm honestly surprised that issues like this haven't happened more frequently.
(DIR) Post #AW2OWfWrlgm0klfwg4 by Zerglingman@freespeechextremist.com
2023-05-26T05:54:15.681178Z
1 likes, 0 repeats
@RealAkoSuminoe @graf lmao ok retard
(DIR) Post #AW2OfrEpbT1zftcahc by robbie@justbros.xyz
2023-05-26T02:12:38.467233Z
1 likes, 0 repeats
thanks for the write up, appreciate it!
(DIR) Post #AW2OkmmNbo5nIGfBq4 by Remi@poa.st
2023-05-26T05:56:45.643047Z
0 likes, 0 repeats
@Dicer @reloadedAK @Boomerman @Shadowman311 @ggf @DK_Dharmaraj @graf How much do you hate niggers.
(DIR) Post #AW2OzWaG6bTnPM1PqC by MechaSilvio@poa.st
2023-05-26T05:59:08.569481Z
5 likes, 0 repeats
@Library @Omega_Variant @Owl @Boomerman @DK_Dharmaraj @Dan_Hulson @Shadowman311 @ggf @graf @reloadedAK Poasters and Poasties ready to slide in each other's DMs again (circa 2023)
(DIR) Post #AW2P6fikX6UhlyOx4y by morgthorak@poa.st
2023-05-26T06:00:43.045193Z
0 likes, 0 repeats
@Shadowman311 @ggf @DK_Dharmaraj @graf I wish those people would all just go away. It's never ending drama with them. On and on it goes, and they skunk up every place they go with their bullshit.
(DIR) Post #AW2POoY0SDM8MR1l1U by morgthorak@poa.st
2023-05-26T06:03:52.917958Z
2 likes, 1 repeats
@Owl @Dan_Hulson @Boomerman @DK_Dharmaraj @Shadowman311 @ggf @graf @reloadedAK I'm so sick of them, I want them to go away. Get off poast and leave the internet entirely.
(DIR) Post #AW2PXPDtyiyQQQijBY by brimshae@poa.st
2023-05-26T06:05:28.405199Z
0 likes, 0 repeats
@EdBoatConnoisseur @Eiswald @DK_Dharmaraj @graf Are all three of them troons?
(DIR) Post #AW2PcntFh8VUNOdT0a by morgthorak@poa.st
2023-05-26T06:06:30.374820Z
0 likes, 0 repeats
@graf @Forgetful_Gynn How do you delete DMs? I didn't see a way to do it in the DM page.
(DIR) Post #AW2Pj9xSYlyqYXdOGe by EdBoatConnoisseur@poa.st
2023-05-26T06:07:40.251551Z
0 likes, 0 repeats
@brimshae @Eiswald @DK_Dharmaraj @graf could
(DIR) Post #AW2PqEmf13BjYAxSsq by Dirty_Thirty@poa.st
2023-05-26T06:08:57.380218Z
0 likes, 0 repeats
@graf you are battling a cyber war and the arms race is constant, i'm not worried, you will beat them all in this war, a lost battle is expected here and there against the entire globalhomo resources o/
(DIR) Post #AW2Q8DLx4fKyKE2NYO by Owl@nicecrew.digital
2023-05-26T06:12:14.888659Z
0 likes, 0 repeats
Only you guys can ask for that change. I think itās the right change to ask for though.
(DIR) Post #AW2R72ED3Co3UEPwX2 by mmmfeet@poa.st
2023-05-26T06:23:11.011446Z
4 likes, 2 repeats
@Shadowman311 @ggf @DK_Dharmaraj @graf Glowies aren't the only big institution out there. Maybe it could have been the Republicans, or some NGO associated with them?
(DIR) Post #AW2RSD1A89X11zPYzA by PodunkPotato@nicecrew.digital
2023-05-26T06:27:03.768864Z
6 likes, 1 repeats
Here is the thing. The gov knows where you are in your house from your and even your neighbors wifi. They know your bloodpressure from recording your voice through your tv speakers even if you don't carry a smartphone to spy on you. They don't want to admit these things in public so they try to tie you to something like this so they have a way to introduce it. Just don't be retarded with your info online. It's probably too late anyways. So fuck 'em. They will be reading my shitpoasts to the court. I have a feeling they won't be televised. I'm too funny for them to allow that.
(DIR) Post #AW2RYxg3Z2bxTrl7lA by chainsaw_appreciator@poa.st
2023-05-26T06:28:15.047239Z
4 likes, 1 repeats
@mmmfeet @Shadowman311 @ggf @DK_Dharmaraj @graf Uncomfortably plausible.
(DIR) Post #AW2RbJfkl37SHCjwYa by mmmfeet@poa.st
2023-05-26T06:28:39.966100Z
6 likes, 0 repeats
@Shadowman311 @ggf @DK_Dharmaraj @graf Scare the shit out of all the other dissident right watering holes so they flee and leave twitter as the only safe platform where you can control the conversation and sheppard them towards voting DeSantis next year. Republicans might not have the balls to do something like that but Israelis do
(DIR) Post #AW2Rr4auaMlM96zN9U by lain@lain.com
2023-05-26T06:30:46.428132Z
3 likes, 0 repeats
@graf that's a crazy attack, can you tell me more about how that mostr relay plays into this? I know that you can upload pretty much any file, but how did the attacker get it to execute in the context of the website?
(DIR) Post #AW2RzaMIN2ncygD9fs by Dicer@poa.st
2023-05-26T06:33:02.582450Z
1 likes, 0 repeats
@Remi @reloadedAK @Boomerman @Shadowman311 @ggf @DK_Dharmaraj @graf I say it in real life as well.
(DIR) Post #AW2RznRNjRanYDgtuK by mint@ryona.agency
2023-05-26T06:32:12.984427Z
2 likes, 1 repeats
@lain @graf >how that mostr relay plays into thisIt's just a dud. Oauth tokens get presented as those long-ass usernames, the script does the account lookup query on local instance, and then local instance tries to fetch the account with that username from a remote one, which then logs the tokens.
(DIR) Post #AW2S9aWKcjDkNLfvOa by lain@lain.com
2023-05-26T06:34:13.480544Z
2 likes, 0 repeats
@mint @graf i still don't understand how the script gets executed. where is it being embedded in script tag?
(DIR) Post #AW2SGzXxyUG41KyDAW by RealAkoSuminoe@poa.st
2023-05-26T06:30:44.883423Z
2 likes, 1 repeats
@Boomerman @Shadowman311 @reloadedAK @ggf @DK_Dharmaraj @graf No one should send sensitive information over channels that aren't end-to-end encrypted. Even if the messenger is encrypted, it's still always a possibility that the endpoints themselves get compromised. Whether or not you trust the admin or the chat app is open source is irrelevant.
(DIR) Post #AW2SNeF7a3a5yUKUdM by Robert_Edwardly@poa.st
2023-05-26T06:37:23.962198Z
0 likes, 0 repeats
@RealAkoSuminoe @Boomerman @Shadowman311 @reloadedAK @ggf @DK_Dharmaraj @graf This is especially true with the current state of signal. No opsec is perfect, and I'm not saying don't use signal. But don't send sms about your politics to normie friends, shitlib girls whose tits you want to see, and grandma.
(DIR) Post #AW2SR3jDHc1Zsv20Ke by mint@ryona.agency
2023-05-26T06:37:08.074794Z
4 likes, 5 repeats
@lain @graf Looks like there was a bit of social engineering involved. My first guess was, since poast runs Soapbox as default frontend and serves Pleroma-FE separately, the subdomain FE is on (pl.poa.st) might have not applied CSP rules, essentially giving all control over the local storage to the opened HTML with embedded JS. But that fails flat in his setup, since media is hosted on a separate domain (poastcdn.org) which should have those rules applied regardless.Screenshot_20230526_093439.png
(DIR) Post #AW2SYAROiwoAjN5VI0 by sarvo@novoa.nagoya
2023-05-26T06:39:20.558Z
3 likes, 4 repeats
@lain@lain.com @graf@poa.st alex gleason is yet again an agent that destroys the fediverse
(DIR) Post #AW2SnWnzr6XyR8yzgW by graf@poa.st
2023-05-26T06:42:03.352651Z
10 likes, 1 repeats
@lain we had a user approach us claiming an image wouldn't load on pleroma FE but would load fine on soapbox, screenshot had a seemingly empty post so I/we went to check it out. loaded fine so I didn't think anything of it but I think it might have been embedded tags in svg or similar. I'm currently restoring our database backup from that night before he nuked his account so I can get a better picture and will have more details this weekend. feelsshittyman
(DIR) Post #AW2SuCRHyWNHIbXhlg by Paleloon@poa.st
2023-05-26T06:43:00.004584Z
3 likes, 0 repeats
@PodunkPotato @Omega_Variant @Owl @Boomerman @DK_Dharmaraj @Dan_Hulson @Shadowman311 @ggf @graf @reloadedAK Honestly all they have from here on me is memes and cute animal pictures so fuck em lets GOOOO!
(DIR) Post #AW2SxonhnvP18zklo8 by lain@lain.com
2023-05-26T06:42:59.856452Z
1 likes, 0 repeats
@graf thanks for the info. hang in there!
(DIR) Post #AW2TFiGmpCc46Kt9bU by Goobly@poa.st
2023-05-26T06:45:40.639640Z
0 likes, 0 repeats
@graf @lain Did they grab your token too?
(DIR) Post #AW2TFqGj5JJmuSvDcW by graf@poa.st
2023-05-26T06:47:07.479927Z
3 likes, 0 repeats
@Goobly @lain I don't know which token was taken yet. I dropped all tokens from our database immediately after noticing so thats another reason im restoring database to a testing environment. a couple of us are going to dig through it and get a complete picture to report it.
(DIR) Post #AW2TRqfbQ1Hxd4Hagi by m0n5t3r@ps.m0n5t3r.info
2023-05-26T06:49:21.359209Z
0 likes, 0 repeats
@djsumdog @AnimeTradCath @EdBoatConnoisseur @graf @wishgranter14 yeah, I'd be curious to learn how the hell can someone upload javascript and then have it load / execute; does something accept random html from the luser / other servers and display it unchanged, including scripts? that would be... retarded
(DIR) Post #AW2Tfi3kEI0EyhBV4q by EdBoatConnoisseur@poa.st
2023-05-26T06:51:52.553931Z
0 likes, 0 repeats
@m0n5t3r @djsumdog @AnimeTradCath @graf @wishgranter14 pleroma is all sorts of hacked together, if anything we should be glad it aināt hacked together in perl
(DIR) Post #AW2Um0mpcBpwkcqIBE by l0ngyap@akm.longyap.name.my
2023-05-26T07:04:15.092441Z
1 likes, 0 repeats
@graf is your guys s3 broken? I cant see shit
(DIR) Post #AW2UrDR213JtQY7wXo by graf@poa.st
2023-05-26T07:05:02.823599Z
1 likes, 0 repeats
@l0ngyap we dont use s3, I rewrote how our CDN pulls media to lock down access to media from the poa.st domain go to i.poastcdn.org/speedtest and tell me what server it says at the top of the page (probably tokyo1.poastcdn.org or something)
(DIR) Post #AW2UzXESIJrH8yDBa4 by RealAkoSuminoe@poa.st
2023-05-26T06:11:09.996800Z
9 likes, 2 repeats
@graf @BiggusDiccus @Boomerman no fun allowed
(DIR) Post #AW2VI9MrFKGYdD1BtQ by l0ngyap@akm.longyap.name.my
2023-05-26T07:10:03.449090Z
1 likes, 0 repeats
@graf singapore1.poastcdn.org
(DIR) Post #AW2VKJ7ZxBfHSctsgK by l0ngyap@akm.longyap.name.my
2023-05-26T07:10:27.072998Z
0 likes, 0 repeats
@graf
(DIR) Post #AW2VP2RDPQT3ANLCT2 by graf@poa.st
2023-05-26T07:11:14.970897Z
1 likes, 0 repeats
@l0ngyap should be resolved, let me know if images load and sorry (i forgot to whitelist that edge ip, oops)
(DIR) Post #AW2VlHw4TBWjbPNoW0 by Lapineige@mamot.fr
2023-05-26T07:11:11Z
0 likes, 0 repeats
@graf how can we fix such a vulnerability (using Nginx) ?I don't know how to change that CSP.Asking for #Yunohost packaging, which impacts many people š
(DIR) Post #AW2VlIjLVywU4ERAJs by graf@poa.st
2023-05-26T07:15:12.892594Z
1 likes, 1 repeats
@Lapineige for pleroma? you could do something like location ~ ^/media { [...] add_header Content-Security-Policy "script-src 'none';"; [...] }
(DIR) Post #AW2VlJxYwbuNsc627M by l0ngyap@akm.longyap.name.my
2023-05-26T07:15:19.622594Z
0 likes, 0 repeats
@graf yep its good now thx
(DIR) Post #AW2W44w11yhmmbJifg by Lapineige@mamot.fr
2023-05-26T07:15:56Z
1 likes, 0 repeats
@graf thanks a lot !Would it be the same for Akkoma ?
(DIR) Post #AW2W45VSuB3sYXu1vU by graf@poa.st
2023-05-26T07:18:38.598134Z
1 likes, 0 repeats
@Lapineige yeah I presume the configuration is the same. this is default for pleroma iirc. you can configure where media is served in adminFE so check to make sure default install is actually under yourdomain.tld/media and not some other location and adjust for whatever that location is if it is not the same
(DIR) Post #AW2WRxEzHxGrs1Zlia by Suiseiseki@freesoftwareextremist.com
2023-05-26T07:22:58.160447Z
4 likes, 1 repeats
@graf So I was right to use BloatFE and never run JavaShit all along?
(DIR) Post #AW2WW7xZNSEQH0Q11k by graf@poa.st
2023-05-26T07:23:41.766488Z
3 likes, 0 repeats
@Suiseiseki yes you are correct bloat is superior and I kneel
(DIR) Post #AW2Wdo7d196n42mln6 by jeffcliff@shitposter.club
2023-05-26T07:25:07.496341Z
0 likes, 0 repeats
@HackerRadioShow
(DIR) Post #AW2XZJvXRKICDCYT20 by RealAkoSuminoe@poa.st
2023-05-26T06:44:27.690869Z
1 likes, 0 repeats
@Robert_Edwardly @Boomerman @Shadowman311 @reloadedAK @ggf @DK_Dharmaraj @graf SMS is so comically insecure that it should just be illegal.The signal protocol is still the best messenger protocol out there (so far), but still use caution, and remember that if someone gets access to your phone or computer that everything you sent and received there can be seen by a jury.
(DIR) Post #AW2XlipQgNKeuwbwm0 by beardalaxy@gameliberty.club
2023-05-26T07:37:44Z
0 likes, 0 repeats
@graf @BiggusDiccus @Boomerman you already can't upload JS on mastodon afaik. just audio/video/images.
(DIR) Post #AW2Xs6G0UKIHJl5FXU by hakui@tuusin.misono-ya.info
2023-05-26T07:38:58.190815Z
3 likes, 0 repeats
@graf @lain the admin version of opening a suspicious attachment :notLikeThis:
(DIR) Post #AW2YKH5Roist0uZz7o by UnityOstara@poa.st
2023-05-26T07:44:01.781858Z
0 likes, 0 repeats
@graf Thanks, Graf for the heads up!
(DIR) Post #AW2YLWtmVxtmLJillo by Goobly@poa.st
2023-05-26T07:39:21.007672Z
0 likes, 0 repeats
@graf @Lapineige What I have hard time understanding, probably because I don't know the technical side of these instances, is how did they manage to execute the script in the first place - I don't think I am allowed to write raw HTML that would trigger the script load one way or another? Or was it something like <svg onerror="(window.document.createElement...)"...?
(DIR) Post #AW2YLXcnoZuYawmiwa by graf@poa.st
2023-05-26T07:44:14.748341Z
4 likes, 0 repeats
@Goobly @Lapineige I will have a better more complete picture later this weekend and I will update my OP
(DIR) Post #AW2aNys5gQw9aPE7bE by sim@shitposter.club
2023-05-26T08:07:06.535370Z
2 likes, 0 repeats
@EdBoatConnoisseur @DK_Dharmaraj @Eiswald @graf It's probably more likely to be some hacker group or person. We've seen someone signing up lots of accounts on instances so they've had time to experiment. I remember in the earlier days of GS that we had a hacker group come over except that they seemed more friendly, doing it for fun and showing the vulnerabilities in the software. They would sign up lots of accounts to spam an instance, and found an exploit... I think it was like an XSS attack or something, where they were able to post using accounts that had clicked a link. Would be curious to find out if this is something similar.
(DIR) Post #AW2adgiAy9jvti4xN2 by hj@shigusegubu.club
2023-05-26T08:09:34.046918Z
1 likes, 0 repeats
@r @hakui well, potentially someone could upload a js file and upload an html file that references that, however opening html file should just display its contents.another way would be to upload a malicious flash file :^)
(DIR) Post #AW2aj4i3Am61m2aZXs by vaartis@pl.kotobank.ch
2023-05-26T08:11:26.952249Z
0 likes, 0 repeats
@hj @r @hakui flash does not have access to normal cookies i believe
(DIR) Post #AW2anAtA8luK63k288 by hj@shigusegubu.club
2023-05-26T08:11:20.903016Z
1 likes, 0 repeats
@vaartis @r @hakui who knows what vulnerabilities ruffle as.
(DIR) Post #AW2avshT8PPcIAQJsG by redditeur@poa.st
2023-05-26T04:43:36.591686Z
0 likes, 0 repeats
@bajax @Eiswald @DK_Dharmaraj @graf After exploited, this particular vulnerability seems pretty obvious (trusting uploadable media files to run within the root domain? INSANITY!), but I'd argue it's something easy to overlook.
(DIR) Post #AW2avtXa0f60tmnw6C by bajax@bajax.us
2023-05-26T08:13:10.232511Z
0 likes, 0 repeats
@redditeur @DK_Dharmaraj @Eiswald @graf >it's something easy to overlook.not really
(DIR) Post #AW2bcNEryzCrAWJBcu by NathanielHigger1488@poa.st
2023-05-26T08:20:54.213614Z
0 likes, 0 repeats
@DK_Dharmaraj @graf >@TheRalphRetard is a state actorUh oh
(DIR) Post #AW2jL93CHRaBsJ90bY by Bellerophon@poa.st
2023-05-26T09:47:26.293986Z
0 likes, 0 repeats
@marlin @greenpx Gotcha. Although I'm confused, how does email factor in? I.e., is there a poast email service I'm not aware of or something
(DIR) Post #AW2nGrpAmi3Z6hngB6 by Curvin@poa.st
2023-05-26T10:31:28.574642Z
0 likes, 0 repeats
@graf That is some absolutely nutty technomagic bullshit
(DIR) Post #AW2pvGGXWzr6P0zRq4 by Eiregoat@nicecrew.digital
2023-05-26T11:01:14.184994Z
3 likes, 0 repeats
Thing about these techniques is that even if they're developed for a state actor, they tend to very quickly get into the wild and end up being used by script kiddies.For instance, a few years back it turned out that CIA agents were passing around their most secret pen tools on USB keys. These weren't just regular hacks and exploits, these were deliberate back doors installed by megacorps to be used under only the most dire circumstances, and those chucklefucks were just like "oh hey joe, your project needs some skeleton keys? Here."Naturally they ended up being spread far and wide outside of any government agency and eventually someone made their existence public so they vulnerabilities could be fixed.So in this case... who knows. Could be a state actor, could be a megacorp, or could be some dickhead like Ralph with an axe to grind.
(DIR) Post #AW2qAjkUCEdABbNP9s by Eiregoat@nicecrew.digital
2023-05-26T11:04:02.040356Z
1 likes, 0 repeats
Plus, if it was a state actor they wouldn't immediately leak everything.
(DIR) Post #AW2xzaCAAvtb0JVxfk by Bead@poa.st
2023-05-26T12:31:36.162098Z
0 likes, 0 repeats
@reloadedAK @Shadowman311 @ggf @DK_Dharmaraj @graf Zoom isn't a faggot. Corey Barnhill/Corey Shiratori, is a child rapist and federal asset. He literally rapes 8 year olds and the FBI uses him to run gayops against political dissidents. Ethan Ralph knowingly and willingly associates with multiple child rapists because it is expedient for him to use their influence.
(DIR) Post #AW36SfbzulAjpoymCu by buttered_poasties@poa.st
2023-05-26T14:06:26.814294Z
0 likes, 0 repeats
@MechaSilvio @graf @TheWanax @Jean_Philippe_Micheaux @EdBoatConnoisseur @Eiswald @DK_Dharmaraj there were a lot of shows discussing his first book. has anyone done a review episode of the new one?
(DIR) Post #AW36aRoP6dUZLsUUSm by MechaSilvio@poa.st
2023-05-26T14:07:50.521853Z
1 likes, 0 repeats
@buttered_poasties @graf @TheWanax @Jean_Philippe_Micheaux @EdBoatConnoisseur @Eiswald @DK_Dharmaraj it's been out for only 2-3 days
(DIR) Post #AW36iGMVYoMA9oAYoi by fishsticks@poa.st
2023-05-26T14:09:12.368110Z
0 likes, 0 repeats
@bajax @DK_Dharmaraj @Eiswald @graf @redditeur If it's so easy and obvious why don't you audit fedi software personally so these exploits are less likely to happen for everyone?
(DIR) Post #AW37VQKnGw3NH8oEJU by fishsticks@poa.st
2023-05-26T14:18:06.857625Z
2 likes, 0 repeats
@Bellerophon @marlin @greenpx The emails mean the emails you signed up to the site with. For example if you used "ihateniggersandmyrealnameisjohnsmith@gmail.com" as your email for post when you made an account that is now public information
(DIR) Post #AW37xsZJtJoKx1AjrM by Bellerophon@poa.st
2023-05-26T14:23:16.281734Z
1 likes, 0 repeats
@fishsticks @marlin @greenpx Got it, thanks fam. In hindsight my question was dumb
(DIR) Post #AW389Zvj0zW0cSEMwC by fishsticks@poa.st
2023-05-26T14:25:25.328367Z
1 likes, 0 repeats
@Bellerophon @marlin @greenpx You're good man. Having information leak can be stressful.
(DIR) Post #AW3BwiWIAOl3JPSPrs by bajax@bajax.us
2023-05-26T15:07:54.856805Z
1 likes, 0 repeats
@fishsticks @DK_Dharmaraj @Eiswald @graf @redditeur don't care enough
(DIR) Post #AW3GNMTCeg1iYqyO8G by bajax@bajax.us
2023-05-26T15:57:33.423475Z
1 likes, 0 repeats
@fishsticks @DK_Dharmaraj @Eiswald @graf @redditeur basically, in programming for anything that hooks up to a network you have to think at every step of the way, "How could this be exploited?" You are writing code that's going to be run on OTHER people's hardware, you have to think very carefully about what your code exposes to outsiders. The problem here is that this wasn't some obscure vulnerability, some unforeseen consequence of connecting an outside text processing library with a newfangled webdingus in a way that allows prostate buffer overflow nobody ever expected-- it's literally just letting outsiders dump files of any type on your system in an HTTP-accessible directory.It's hard to explain to people who don't program how basic this oversight is, but it's kind of outrageous.As for why I didn't fix it myself, :seinfeld:
(DIR) Post #AW3H7GaMrinjdEDIQK by fishsticks@poa.st
2023-05-26T16:05:52.490572Z
0 likes, 0 repeats
@bajax @DK_Dharmaraj @Eiswald @graf @redditeur >it's literally just letting outsiders dump files of any type on your system in an HTTP-accessible directory.I'll be honest I'm not a programmer or anything so I could just be dumb but don't file hosting websites do exactly this? What stops those sites from getting attacked in this sort of way? Not gonna disagree that fedi is poorly programmed though. The fact I can't use this shitware without javascript should speak for itself.
(DIR) Post #AW3HMnrhPnrXBqjEdU by bajax@bajax.us
2023-05-26T16:08:39.158917Z
1 likes, 0 repeats
@fishsticks @DK_Dharmaraj @Eiswald @graf @redditeur They either filter certain file types or send security headers along with the file that make browsers enforce that the file can't be executed in-situ, or like a lot of places like megaupload does, send the file in a non-standard way such that it can't even be downloaded without some user-involved process.
(DIR) Post #AW3HudCnYPjxyXjC9w by fishsticks@poa.st
2023-05-26T16:14:46.881198Z
0 likes, 0 repeats
@bajax @DK_Dharmaraj @Eiswald @graf @redditeur >or send security headers along with the file that make browsers enforce that the file can't be executed in-situI thought everyone already did this. From what I understand, that isn't even that hard to do. What the fuck.
(DIR) Post #AW3ID9jnL4Fw5JzkyO by bajax@bajax.us
2023-05-26T16:18:07.290689Z
1 likes, 0 repeats
@fishsticks @DK_Dharmaraj @Eiswald @graf @redditeur It's NOT, but it requires configuration in a part of the software pleroma isn't TECHNICALLY responsible for (the web server, typically nginx)
(DIR) Post #AW3JJsavZfyUtjcLE8 by exosome@poa.st
2023-05-26T16:30:32.985171Z
0 likes, 0 repeats
@graf I wrote at least twice that entire WEF-lightning-Nostr hopium looks like deliberate attack on our side of Fediverse. And here we are. iris.to/note1u34gw2t3xtyhzd3ea4hyspddx989jjy79zcdm0wlqf4aeay304wsea9yzc
(DIR) Post #AW3OgAxcTDTS06gMs4 by picandor@gameliberty.club
2023-05-26T17:30:38Z
0 likes, 0 repeats
@graf I don't think anyone would've seen something like this coming. It seems a bit too sophisticated for fedi, if I'm fully honest.
(DIR) Post #AW3S7QjcEKYMbXosiW by dharmadudebro@poa.st
2023-05-26T18:09:10.389165Z
0 likes, 0 repeats
@graf So Graf if I deleted a dm back in 2022 would that still be archived?
(DIR) Post #AW3bB4oEacs3LjnGQC by p@freespeechextremist.com
2023-05-26T19:50:44.124383Z
6 likes, 0 repeats
@kirby @graf FSE is immune. No previews, paranoid CSP headers, no media proxy...and no admin tokens.
(DIR) Post #AW3bVPdAswHvibJjkm by p@freespeechextremist.com
2023-05-26T19:54:24.651976Z
2 likes, 0 repeats
@graf @mona CSP on attachments.
(DIR) Post #AW3cCNPozuVdIdYgnQ by devolve@poa.st
2023-05-26T19:52:09.249149Z
1 likes, 0 repeats
@graf what the fuck, so no security checking in this retarded Nostr bridge. Why did you even allow a gateway to Nostr, it was a fucking stupid idea when I saw it was happening.Maybe next time take pause and think about just jumping into some new tech.
(DIR) Post #AW3cCO4EZeprJySxmq by graf@poa.st
2023-05-26T20:01:57.428296Z
3 likes, 0 repeats
@devolve your anger is misplaced friend
(DIR) Post #AW3cJJqcf1RiGHPAGm by p@freespeechextremist.com
2023-05-26T20:03:25.818681Z
2 likes, 0 repeats
@Eiswald @DK_Dharmaraj @graf > Literally reads like a private corporationNo.> Whoever it was they were probably very skilledNo, CSP/XSS. This isn't Stuxnet. Not skiddies but not anything amazing.> Always assume that EVERYTHING you do on the internet is being monitored.First correct thing you have said.
(DIR) Post #AW3cJPZTNhIE0pQYN6 by BigDuck@poa.st
2023-05-26T20:03:17.100875Z
0 likes, 0 repeats
@devolve @graf Who are you to demand anything lol?
(DIR) Post #AW3cSDfN0qQxhENyMq by Bead@poa.st
2023-05-26T20:04:54.251286Z
1 likes, 0 repeats
@BigDuck @devolve @graf >Sept 2022
(DIR) Post #AW3cUFACPuMov2lrH6 by p@freespeechextremist.com
2023-05-26T20:05:24.277381Z
0 likes, 0 repeats
@djsumdog @graf Just a token grab, not a hijack. The part in the admin's browser is just the token exfiltration.
(DIR) Post #AW3cWoLMaalwbiDWFc by mia@freespeechextremist.com
2023-05-26T20:05:52.118137Z
4 likes, 1 repeats
@p @Eiswald @DK_Dharmaraj @graf When they realize top tier threats hit hardware.B074FFBD-0ABA-455F-A60D-E06216761722.jpeg
(DIR) Post #AW3cYXICxGpGIuZ0gi by jeffcliff@shitposter.club
2023-05-26T20:06:09.948522Z
0 likes, 0 repeats
Have you considered running your own instance? We need more people who are security conscious to balance the load on the fediverse.
(DIR) Post #AW3cvbiCgrIifdixk0 by p@freespeechextremist.com
2023-05-26T20:10:20.997666Z
1 likes, 0 repeats
@Sui @matty @graf I've seen the code, you dipshit.
(DIR) Post #AW3dPe7mHk7qqA0g76 by devolve@poa.st
2023-05-26T20:09:19.348027Z
0 likes, 0 repeats
@jeffcliff @graf You know what, I think I might.In anycase, time to kill this account.
(DIR) Post #AW3duvoMZlJGfjqZBw by p@freespeechextremist.com
2023-05-26T20:21:25.972088Z
1 likes, 0 repeats
@EdBoatConnoisseur @graf Probably just that baest was the only other token they got. You'd have to load it through the media proxy and the media proxy would have to have CSP permissive enough to exfiltrate the token.
(DIR) Post #AW3e0IZfN4PsiaX212 by p@freespeechextremist.com
2023-05-26T20:22:24.169513Z
4 likes, 0 repeats
@colonelj @graf Nah, Nostr was just what they used to exfiltrate the token. Could have been anything.
(DIR) Post #AW3eVAsI32Zxobxvm4 by pwm@crlf.ninja
2023-05-26T20:27:58.179264Z
5 likes, 3 repeats
@p @colonelj @graf No you nitwit it was Alex Gleason himself who wrote a malicious HACKING TOOL that connects to the CRYPTOBRO HACKERBRO network where crypto users (criminals) commiserate to hack into and destroy wholesome sites like poast and baest where people are just trying to make friends and discuss their interests. We all know ALEX GLEASON did it to try and push people onto his network for crypto-pedo enthusiasts mostr.pub
(DIR) Post #AW3ebDlsBxGSXIqbKq by graf@poa.st
2023-05-26T20:28:51.705627Z
3 likes, 0 repeats
@pwm @p @colonelj you joke but I don't doubt that there was some malicious intent regarding Alex with this exfiltration method
(DIR) Post #AW3ehPzzdsj2CIPIem by Bead@poa.st
2023-05-26T20:30:03.930211Z
3 likes, 0 repeats
@graf @pwm @p @colonelj Big Vegan strikes again
(DIR) Post #AW3etwOH2LEW8JjeEq by pwm@crlf.ninja
2023-05-26T20:32:26.855888Z
1 likes, 0 repeats
@graf @colonelj @p My theory on it is thata) mostr is a minimal, readily adaptable, easy to deploy piece of software, because any minimal AP implementation could have done the jobb) some angle of a fuck you to gleason using his stuff to do itc) some vague false-flag thing just muddying the watersmaybe some combination of the above.
(DIR) Post #AW3fBIWI0uz9gllF7Q by p@freespeechextremist.com
2023-05-26T20:35:35.741061Z
1 likes, 1 repeats
@EdBoatConnoisseur @Eiswald @DK_Dharmaraj @graf I think that number is way low.You should try asking Sui where the minecraft mod came from, because the same tool was used to dump the Poast chats as the Chudbuds one, and that thread on alogs had pictures of graf/Gleason/etc., then that guy ran around fedi saying Poast was next.
(DIR) Post #AW3ftgwKa90SAT6tma by p@freespeechextremist.com
2023-05-26T20:43:37.127960Z
3 likes, 0 repeats
@like50bears @graf > I get that CSP won't prevent itCSP absolutely would prevent it. I'm not sure how PleromaFE is related, but I've seen that code, the only thing that could have stopped it is CSP or hosting attachments (including proxied ones) on a different domain.
(DIR) Post #AW3gH17JjIyxPHN5f6 by p@freespeechextremist.com
2023-05-26T20:47:50.058047Z
2 likes, 0 repeats
@bajax @Eiswald @DK_Dharmaraj @graf > This shit's got script-kiddie written all over it. Does look like someone that understands CSP/XSS wrote it from scratch.> this vulnerability was a HUGE oversight that should have been obvious to anyone with half a brain years ago...I wouldn't know anything about constantly screeching about that until it became obvious no one was gonna listen. I wouldn't know a damn thing about the PoC I did for this. Wonder how these places handle JS referenced from SVGs.> I suspect they even knew this when they were implementing media proxy this way from the beginning, but resolved to fix it later-- and then never did.Media proxy has been a mistake this entire time. Who guessed?
(DIR) Post #AW3gI9v2UQLczlAmsi by Humpleupagus@eveningzoo.club
2023-05-26T20:48:01.183171Z
1 likes, 0 repeats
Would the auth token allow them to access BE or only FE if the token was for an admin account?
(DIR) Post #AW3gR303aGkw8sl4hU by p@freespeechextremist.com
2023-05-26T20:49:38.823551Z
2 likes, 0 repeats
@bajax @Eiswald @DK_Dharmaraj @graf > This shit's got script-kiddie written all over it. Does look like someone that understands CSP/XSS wrote it from scratch.> this vulnerability was a HUGE oversight that should have been obvious to anyone with half a brain years ago...I wouldn't know anything about constantly screeching about that until it became obvious no one was gonna listen. I wouldn't know a damn thing about the PoC I did for this. Wonder how these places handle JS referenced from SVGs.> I suspect they even knew this when they were implementing media proxy this way from the beginning, but resolved to fix it later-- and then never did.Media proxy has been a mistake this entire time. Who guessed?
(DIR) Post #AW3gcHh1IQfotgDDIO by ademan@thebag.social
2023-05-26T20:51:40.108857Z
3 likes, 0 repeats
getting access to your backend is the easy part
(DIR) Post #AW3gfPiptrOifUYP3o by p@freespeechextremist.com
2023-05-26T20:52:14.607200Z
1 likes, 0 repeats
@hakui @graf Hope you've got media proxy off, friend.
(DIR) Post #AW3gyvgBJAEdHecMue by Humpleupagus@eveningzoo.club
2023-05-26T20:55:45.096114Z
3 likes, 0 repeats
The trick is to go in head first.
(DIR) Post #AW3h3zKl9Ffm490h7I by ForbiddenDreamer@poa.st
2023-05-26T20:56:33.374803Z
2 likes, 0 repeats
@Humpleupagus @ademan @p @graf @like50bears Do a flip, faggot.
(DIR) Post #AW3h6gw60VlbsIlMzw by ademan@thebag.social
2023-05-26T20:57:09.659674Z
2 likes, 0 repeats
what a way to go
(DIR) Post #AW3hDBAWW2AXNSbZIW by dcc@annihilation.social
2023-05-26T20:58:15.703000Z
2 likes, 0 repeats
@p @graf @hakui who ever thought media proxy was a good idea? i think a few months back i said something about how you could get hacked through it :alex_lol:
(DIR) Post #AW3hH3xlFU9sBfUHMe by p@freespeechextremist.com
2023-05-26T20:59:02.842153Z
4 likes, 0 repeats
@animeirl @graf It's FE-independent as far as I can tell. Gleason seems to think there's PleromaFE involvement, I don't know what the deal is there (he was Iron Dome'd during the spamwave last week, so he can't tag me; solved the spam issue from FSE's end) but I don't see how it's possible. You have to allow an HTML attachment to load the script: unless a FE loads the HTML to do a preview, FE isn't involved.
(DIR) Post #AW3iOXkwyZeIZScsUq by lain@lain.com
2023-05-26T21:03:24.192723Z
2 likes, 0 repeats
@p @graf @animeirl there's a bug with oembeds not being properly stripped of their tags and pleroma-fe just displayed it, if soapbox puts them in an iframe that would indeed make soapbox safe from this. there is a second exploit that is frontend independent, but it's much more involved and you have to open the attachment in a new tab
(DIR) Post #AW3iUzUSm48MK9zMKe by Sui@decayable.ink
2023-05-26T21:12:45.710515Z
1 likes, 0 repeats
@p @matty @graf It's called a joke, you knuckle dragging wanker.
(DIR) Post #AW3ic4X8QG7JzZcBwe by n3f_X@nicecrew.digital
2023-05-26T21:14:02.611713Z
1 likes, 0 repeats
lol watch out for ole pete ... he will kvetch and start dm flooding you
(DIR) Post #AW3ijbugiPRNXrE5zc by animeirl@shitposter.club
2023-05-26T21:15:23.864018Z
1 likes, 0 repeats
@lain @p @graf is the second still not solved?
(DIR) Post #AW3k4PUeBh8x3oWnBI by lain@lain.com
2023-05-26T21:17:55.983017Z
1 likes, 1 repeats
@animeirl @p @graf that one is solved by the patches in pleroma, the CSP nginx snippet and moving media and proxy to a subdomain, any one of these fixes will solve it.
(DIR) Post #AW3lnZ1dh5gjbq3RNw by p@freespeechextremist.com
2023-05-26T21:49:44.490809Z
10 likes, 2 repeats
@mia @DK_Dharmaraj @Eiswald @grafcia_award_for_excellence_in_journalism.jpg
(DIR) Post #AW3mQIdwXJxa5vRQvo by MechaSilvio@poa.st
2023-05-26T21:56:38.897519Z
2 likes, 0 repeats
@graf @pwm @p @colonelj Probably convenient bc of the nostr username format being similar to a token. Less suspicious than calling a url from any Fedi node
(DIR) Post #AW3mkEp0SFDe2A7im8 by p@freespeechextremist.com
2023-05-26T22:00:20.728900Z
2 likes, 0 repeats
@pwm @colonelj @graf :hanksmoking: Gahdangit, Bobby.
(DIR) Post #AW3mtuo1jAweqsHPY8 by p@freespeechextremist.com
2023-05-26T22:02:05.662230Z
0 likes, 0 repeats
@graf @pwm @colonelj Figure they would have hit his instance if he was the target.
(DIR) Post #AW3mwcGV7NwyDXt0cK by pwm@crlf.ninja
2023-05-26T22:02:34.233914Z
1 likes, 0 repeats
@p @colonelj @graf why would anyone hack poast when they could just mow a lawn?
(DIR) Post #AW3nJ6WJJMt2QG0JnM by p@freespeechextremist.com
2023-05-26T22:06:38.800092Z
1 likes, 0 repeats
@Humpleupagus @like50bears @graf Once they get the admin token, they can do anything an admin can do.That includes the DB settings, by the way, if you're using in-DB config (which FSE doesn't).
(DIR) Post #AW3nkXwLTNPtHaGd28 by p@freespeechextremist.com
2023-05-26T22:11:36.371400Z
0 likes, 0 repeats
@lain @animeirl @graf Ouch.Whoever gets in there has checked SVGs I hope.
(DIR) Post #AW3nxtV0czX7uZqUNc by p@freespeechextremist.com
2023-05-26T22:14:01.110669Z
2 likes, 0 repeats
@Sui @matty @graf Only pretending to be retarded...again?
(DIR) Post #AW3xZ8lLjxuRYKK932 by Sir_Leon@poa.st
2023-05-27T00:01:27.810891Z
0 likes, 0 repeats
@DK_Dharmaraj @graf I saw what happened, I know it's likely a state actor who done this because they know every single vulnerability in most computer programs. How will it be deferent in Mastodon and Telegram for example?
(DIR) Post #AW407H33dnRJ0K0imm by hakui@tuusin.misono-ya.info
2023-05-27T00:30:08.850646Z
3 likes, 0 repeats
@p @graf always have been
(DIR) Post #AW41HBGK6kuruQVGO8 by Humpleupagus@eveningzoo.club
2023-05-27T00:43:06.051811Z
1 likes, 0 repeats
The exploit had to be tested, right? Is there any way to track, or search, for when it was first used? Does it leave any unique public signature?
(DIR) Post #AW42IjF9Lv3ZXkFxZI by Sui@decayable.ink
2023-05-27T00:54:38.819568Z
4 likes, 2 repeats
A user named "luzbel", they appeared 2-3 months earlier. Barely spoke to anyone, but mentioned "setting up a minecraft server" pretty early on IIRC. Likely JFK or mesofaggy/meticore, although there were quite a few tangentially involved.There's a video of it in use, and I believe the kiwifags were discussing what it could've been for a while (if that shithole ever comes back up). I lost basically all of the shit like the modpack and start up program .jar when I DFE'd. Anything specifically that would help?
(DIR) Post #AW4BoqD3t1k20FfPMW by bajax@bajax.us
2023-05-27T02:41:11.599341Z
1 likes, 0 repeats
@p @DK_Dharmaraj @Eiswald @graf Well my criteria for "script kiddie" is "could *I* do it with about a month of research and all the source code"
(DIR) Post #AW5KRqxs0UXoQhdOgy by p@freespeechextremist.com
2023-05-27T15:52:42.292652Z
0 likes, 0 repeats
@pwm @colonelj @graf :hanksad:
(DIR) Post #AW5anU3TSnQV0wal04 by p@freespeechextremist.com
2023-05-27T18:55:53.665284Z
1 likes, 0 repeats
@hakui @graf Unfathomable excellence, as expected.
(DIR) Post #AW5cAeUev4SI0Fv1Q8 by p@freespeechextremist.com
2023-05-27T19:11:17.191210Z
1 likes, 0 repeats
@Humpleupagus @EdBoatConnoisseur @DK_Dharmaraj @Eiswald @graf That is an excellent point. So far, not sure where it was tested; I believe there was just one copy found on Poast.
(DIR) Post #AW5cldvtxzhuylIejQ by p@freespeechextremist.com
2023-05-27T19:17:58.307524Z
0 likes, 0 repeats
@Sui @EdBoatConnoisseur @DK_Dharmaraj @Eiswald @graf That's useful, yeah. I don't remember ever hearing about alfaniner before he claimed responsibility for actually getting the mod to her.
(DIR) Post #AW5cpxMjeqooPIuM7s by graf@poa.st
2023-05-27T19:18:43.276873Z
2 likes, 0 repeats
@p @Sui @DK_Dharmaraj @EdBoatConnoisseur @Eiswald that guy actually donated to poast, weird to see him tied up in this if true
(DIR) Post #AW5d4ixZV6xe4WBC4m by Twoinchdestroya@poa.st
2023-05-27T19:21:24.780089Z
1 likes, 0 repeats
@graf @p @Sui @DK_Dharmaraj @EdBoatConnoisseur @Eiswald Alfa apparently was given the info and knew about the hack prior to them actually taking down chudbud.He admitted to having all the dox, but claimed no involvement in it.
(DIR) Post #AW5dDHdkRbcBwnzMOm by 1nter4ri@poa.st
2023-05-27T19:22:57.202153Z
2 likes, 1 repeats
@Twoinchdestroya @graf @p @Sui @DK_Dharmaraj @EdBoatConnoisseur @Eiswald Right after he complain to me that he was framed. At the time it seem convincing.
(DIR) Post #AW5gI9l1TkzQoIPGi0 by Sui@decayable.ink
2023-05-27T19:57:27.036622Z
3 likes, 1 repeats
@p I don't remember alfa admitting to being luzbel, but I remember him stating that he picked me as a target because I gave him a profile badge that called him a faggot (2-3 months prior, he never got over it). He was on the video with JFK deleting Bear and then Claire, after a bit of profile vandalism, back when I assumed it was a brute force attack on me and all the password123 memes. I think JFK accused meticore of being luzbel on kiwi, but who the fuck knows as he lies more often than he breathes.@graf yeah, he donated to Claire too. He admitted to being wrapped up in the chudbud hack, I'd doubt he was still involved now as he was such a weak link though. I mean he'd already self doxed himself, then blurted out a confession on kiwifarms and tried to throw everyone under the bus.. It'd be fucking retarded to keep him in the gay ops group tbh.@Twoinchdestroya he video'd himself with JFK during the lesser of two hacks. I didn't see him admit to knowing they were going to do the KO hack, but it'd make sense. Everyone from bot to meticore to trollcow to book knew about that one prior, it was well known within the sneedfag alogs.@1nter4ri He facedoxed himself publicly in a video that he posted, and then highlighted it again in a post. He wasn't "framed" for anything, him and jfk (and ceptard to a lesser extent) may have been brought into sneed as patsies but both willingly participated over petty basic bitch drama. That's like a drug dealer claiming he was framed because he was only a middleman in the crime. Neither are trustworthy sources imo as federal fucking crimes were committed with them as (at least) the faces of the gay ops. But believe the faggot if you want idgaf, I'm only dredging this shit up because it's apparently relevant to the latest round of faggotry.
(DIR) Post #AW6hbMi3qDelaxhjqS by p@freespeechextremist.com
2023-05-28T07:46:51.044982Z
1 likes, 0 repeats
@graf @Sui @DK_Dharmaraj @EdBoatConnoisseur @Eiswald This is all I know; maybe not real, you can decide, seems credible:1.jpg2.jpg3.jpg4.jpg5.jpg6.jpg
(DIR) Post #AW6io7z00SF1diHDFI by p@freespeechextremist.com
2023-05-28T08:00:21.735949Z
1 likes, 0 repeats
@Sui @1nter4ri @Twoinchdestroya @DK_Dharmaraj @EdBoatConnoisseur @Eiswald @graf > I'd doubt he was still involved now as he was such a weak link though.Yeah, but he didn't make the mod, he was just the vector. I don't know who did; maybe it came from the Sprate Haeder guy alfaniner mentioned, maybe someone else made it, I don't know who ran the servers or anything.> may have been brought into sneed as patsiesMust have, yes.
(DIR) Post #AW6kbHp2JRNUIccZZA by moth_ball@shitposter.club
2023-05-28T08:20:26.391977Z
2 likes, 0 repeats
@p @Sui @DK_Dharmaraj @EdBoatConnoisseur @Eiswald @graf Is this the hellthread?
(DIR) Post #AW6mK0QLweL5KExnGK by p@freespeechextremist.com
2023-05-28T08:39:44.314200Z
2 likes, 1 repeats
@moth_ball @DK_Dharmaraj @EdBoatConnoisseur @Eiswald @Sui @graf Every thread is its own hell.
(DIR) Post #AW7IRcysBfbhT2mvOC by Sui@decayable.ink
2023-05-28T14:39:39.887902Z
2 likes, 1 repeats
@p @1nter4ri @DK_Dharmaraj @EdBoatConnoisseur @Eiswald @Twoinchdestroya @graf Alfa's tech illiterate, he hired someone to make his own single user instance. I can't remember that guy's name, but he might've been involved given the timing. Sprate I think seemed to be disappointed that I spooked them by not clearing the RAT effectively, the guilded leak made them freak out/hide/sperg on kiwi. Meticore/Trollcow seem tech literate.
(DIR) Post #AW7Iiijy1hW8FlxzJw by Sui@decayable.ink
2023-05-28T14:42:45.124723Z
2 likes, 1 repeats
@p @1nter4ri @DK_Dharmaraj @EdBoatConnoisseur @Eiswald @Twoinchdestroya @graf book likely was swatting, bot doesn't even know how to shovel dirt.. JFK's tech savvy, he blamed someone he thought was meticore and said the RAT/program was on github. But again, that zoomer zoosadist isn't trustworthy at all.. I remember they were trying to recruit disgruntled chuds (like jfk and beta), and we had >3k it's hard to keep track of that..
(DIR) Post #AW7JMq7hzpEwjbCZ6m by Sui@decayable.ink
2023-05-28T14:49:59.993541Z
3 likes, 0 repeats
@p @graf @DK_Dharmaraj @EdBoatConnoisseur @Eiswald He wanted to be a broom, and was a matrix broom. He mostly just disliked me and swatty, he hid behind claire and doll's skirts, especially because we jokingly called him and his thirst posting gay (~january iirc).There were never any lawsuits against these spergs, but I do still love how freaked out that made him.He left voluntarily, after repeatedly sperging (and being apologized to)...
(DIR) Post #AW7Jcrvh34FKyBE0Nk by Sui@decayable.ink
2023-05-28T14:52:53.732350Z
1 likes, 0 repeats
@p @graf @DK_Dharmaraj @EdBoatConnoisseur @Eiswald The badge happened, after a poll, once months prior. He cried to claire, not any of the mods, and it was removed within 15 minutes. He then proceeded to bring it up, and how shit me and swatty were as mods until he left for sneed. Both me and swatty apologized for it, at least 2-3 times. One was near the end of his chuds account, you might still have access on FSE, it was peak cringe.
(DIR) Post #AW7Jxvc0YIVCTK3j16 by Sui@decayable.ink
2023-05-28T14:56:42.561928Z
1 likes, 0 repeats
@p @graf @DK_Dharmaraj @EdBoatConnoisseur @Eiswald He repeatedly went after my wife, despite her involvement literally just trying to talk the roid raging emo faggot down repeatedly.Everything was always clearly there, donations aren't refundable and they weren't purchases. This was explained to him multiple times.That's the guy, Imago. You should probably look into him, alfa talked quite a bit about him.I'm liek totes a gay gurl u guiz.
(DIR) Post #AW7M9Od9Ccx7Z4BjMm by Sui@decayable.ink
2023-05-28T15:21:11.480478Z
3 likes, 0 repeats
@p @graf @DK_Dharmaraj @EdBoatConnoisseur @Eiswald Sidenote, them fail doxing me as my wife pushes me away from thinking that JFK/Betawhiner from being the ones to do it. Both knew there were 2 people here. Someone like meticore (who later seemed surprised I was married) or trollcow (who seemed far more fixated on claire and dramanigger shit) seems more likely. I downloaded the same RAT, and I'm rent free for JFK/Alfa, they would've life ruined
(DIR) Post #AW7NhyE1T6otlAUDY0 by Darberto@coolsite.win
2023-05-28T15:38:38.952680Z
2 likes, 0 repeats
Beta and jfk are bitch made
(DIR) Post #AW7OyMjGEPXCLQTmyW by Sui@decayable.ink
2023-05-28T15:52:48.533891Z
2 likes, 0 repeats
@Darberto @p @DK_Dharmaraj @EdBoatConnoisseur @Eiswald @graf Nah, they're both super cool dudes.>WAH! They blocked me for posting animals burning to death WAH!and>WAH! They gave me a fag badge for being a fag WAH!Can't get much cooler than that.
(DIR) Post #AW7xsTzpnOEFXfA6T2 by p@freespeechextremist.com
2023-05-28T22:23:56.159391Z
1 likes, 0 repeats
@Sui @1nter4ri @DK_Dharmaraj @EdBoatConnoisseur @Eiswald @Twoinchdestroya @graf Yeah, I've talked to Meticore/Trollcow, they both seem like they know what they're doing.
(DIR) Post #AW7zuQtoTuNqQLP3k8 by p@freespeechextremist.com
2023-05-28T22:46:41.905409Z
1 likes, 0 repeats
@Sui @1nter4ri @DK_Dharmaraj @EdBoatConnoisseur @Eiswald @Twoinchdestroya @graf > book likely was swattingPaying that Telegram account to swat, anyway.> bot doesn't even know how to shovel dirtKnowledge and skills are for gay pedophiles!She thought that Prude and me were the same person and that arguing with each other was some schizo plot to cover up that we're the same guy. How she cracked the case: his name starts with "P". It all adds up!I don't really know the other people; I only met meticore because of the FBI sniffing around. meticore seems cool.lavos_feat._ytcracker--i_am_the_storm_swat_me.mp3
(DIR) Post #AW80HJkJF8vUtms0R6 by p@freespeechextremist.com
2023-05-28T22:50:50.056008Z
1 likes, 0 repeats
@Sui @graf @DK_Dharmaraj @EdBoatConnoisseur @Eiswald Yeah, the badges don't even federate, I don't know how his panties got in such a bunch.
(DIR) Post #AW80NITSsstUgyqIBk by graf@poa.st
2023-05-28T22:51:53.388114Z
4 likes, 0 repeats
@p @Sui @DK_Dharmaraj @EdBoatConnoisseur @Eiswald it's still funny as fuck tho
(DIR) Post #AW80uByq38Wo6kCdfs by Sui@decayable.ink
2023-05-28T22:57:51.283687Z
3 likes, 0 repeats
So he doesn't even swat for himself? That's somehow even more lame.Lmfao, I don't even know if you're joking about the P bit as I've heard more retarded arguments from him/it before.Meticore, I still don't really know tbh. People were claiming he was king of pol (someone from ~2016's 4chan I don't know), seems more likely he's esofaggy to me. He's some ethan ralph fan who kept trying to start/escalate drama, and is likely somewhere near the centre of the past 2 hacks. My main interactions with him were "Who the fuck are you?" and him getting pissy that I didn't know/care, then he'd name drop me randomly to let me know he was thinking of me <3.
(DIR) Post #AW811aEcGpHhMJ6hqy by n3f_X@nicecrew.digital
2023-05-28T22:59:08.465147Z
1 likes, 0 repeats
lol he is after u now
(DIR) Post #AW8EsqDur1CdhOVO2y by p@freespeechextremist.com
2023-05-29T01:34:29.165824Z
0 likes, 0 repeats
@graf @Sui @DK_Dharmaraj @EdBoatConnoisseur @Eiswald :brandt:
(DIR) Post #AW8F1zzLuv36ai3mCm by p@freespeechextremist.com
2023-05-29T01:36:08.468319Z
3 likes, 1 repeats
@Sui @1nter4ri @DK_Dharmaraj @EdBoatConnoisseur @Eiswald @Twoinchdestroya @graf > I don't even know if you're joking about the P bitNo, that's real. @p, Prude, Poast, it's a conspiracy.
(DIR) Post #AW8FAJfgcXurx8pMBs by graf@poa.st
2023-05-29T01:37:37.316999Z
4 likes, 0 repeats
@p @Sui @1nter4ri @DK_Dharmaraj @EdBoatConnoisseur @Eiswald @Twoinchdestroya PPPN
(DIR) Post #AW8OMyHENK7ox2Uuga by p@freespeechextremist.com
2023-05-29T03:20:46.582833Z
0 likes, 0 repeats
@graf @Sui @1nter4ri @DK_Dharmaraj @EdBoatConnoisseur @Eiswald @Twoinchdestroya :terrysmug2:
(DIR) Post #AWEB8yiTL3KQguuLya by OrangeyIs@bae.st
2023-05-31T22:20:50.725576Z
0 likes, 0 repeats
@graf You're welcome! :)
(DIR) Post #AWQXg6iL9YQLwOZFYW by jeff@federated.fun
2023-05-28T02:35:24.494862Z
1 likes, 0 repeats
@p @kirby @graf also no ballsack, just a huge futa cock. this makes it impossible to be gay
(DIR) Post #AWQXhxfTl1SySp75Yu by jeff@federated.fun
2023-05-27T02:18:51.238545Z
0 likes, 0 repeats
@mint @lain @graf lol csp
(DIR) Post #AWQjTaDxK7U59L9MdE by p@freespeechextremist.com
2023-06-06T23:42:04.834806Z
0 likes, 0 repeats
@jeff @graf @kirby They can't touch, the balls can't touch.
(DIR) Post #AWQjXCqKCDGxnCpAXI by marine@breastmilk.club
2023-06-06T23:42:43.422677Z
1 likes, 0 repeats
@p @jeff @kirby @graf donāt your balls touch in the ballsack, or no?
(DIR) Post #AWQjYMo0dmCYysIKvI by jeff@federated.fun
2023-06-06T23:42:56.030676Z
1 likes, 0 repeats
@p @kirby @graf EXACTLY :JahyHyper:
(DIR) Post #AWQjc80TbXcQF0v5Ci by Coconut8@poa.st
2023-06-06T23:43:36.498504Z
1 likes, 0 repeats
@marine @p @jeff @kirby @graf No, do not touch.
(DIR) Post #AWQjemtmXXIte23ZB2 by marine@breastmilk.club
2023-06-06T23:44:05.508605Z
1 likes, 0 repeats
@Coconut8 @jeff @kirby @p @graf but theyāre in the same sack together, no?How do they not?
(DIR) Post #AWQjow8P3XjxBWjcnI by JAJAX@clubcyberia.co
2023-06-06T23:45:55.730778Z
1 likes, 0 repeats
@marine @jeff @kirby @p @Coconut8 @graf there's a matrix of epithselial tissue dividing them so no they don't really touch
(DIR) Post #AWQllV5hLa5gLlxVrs by p@freespeechextremist.com
2023-06-07T00:07:43.721839Z
0 likes, 0 repeats
@marine @graf @jeff @kirby That's one balls, though.
(DIR) Post #AWQlpJbQ0DgtsUcB4i by marine@breastmilk.club
2023-06-07T00:08:24.373034Z
1 likes, 0 repeats
@p @jeff @kirby @graf donāt men have two balls? How is that only one balls?
(DIR) Post #AWQlpiXjH4avEI55IO by p@freespeechextremist.com
2023-06-07T00:08:29.450439Z
0 likes, 0 repeats
@marine @Coconut8 @graf @jeff @kirby They are one balls. It is like one hand clapping.
(DIR) Post #AWQlufY1q0FRO7a9su by marine@breastmilk.club
2023-06-07T00:09:22.323747Z
1 likes, 0 repeats
@p @jeff @kirby @Coconut8 @graf so then two balls is two sets?
(DIR) Post #AWQmNEuxvVtPC6vz0q by Coconut8@poa.st
2023-06-07T00:14:32.327969Z
3 likes, 0 repeats
@marine @jeff @kirby @p @graf Scrotal septum (membrane separates them) than a couple layers of tunica (fibrous tissue) also surround them. The two sides of the scrotum form from labial swellings that don't fuse until about 12 week gestation. So actually 2 sacks that fuse inside the bigger outer sack with membrane between them. Interestingly sacks are empty until later when testicles descend from abdomen through separate inguinal canals. No touching of testicles within the sack, sorry.
(DIR) Post #AWQmVKq1naDrsAU80m by jeff@federated.fun
2023-06-07T00:08:42.654380Z
1 likes, 0 repeats
@marine @kirby @p @graf multi sack drifting
(DIR) Post #AWQn8tM3OumADYKKLw by p@freespeechextremist.com
2023-06-07T00:23:09.668488Z
1 likes, 0 repeats
@marine @graf @jeff @kirby You ever buy one jean or do you buy a pair of jeans? Those are one jeans.
(DIR) Post #AWQnB8OKSwBfQrSbhI by p@freespeechextremist.com
2023-06-07T00:23:33.964221Z
0 likes, 0 repeats
@marine @Coconut8 @graf @jeff @kirby No, that is one balls and another balls. It's like pants.
(DIR) Post #AWQnD6KJ77SbbiW7Mm by marine@breastmilk.club
2023-06-07T00:23:54.618869Z
1 likes, 0 repeats
@p @jeff @kirby @graf itās a pair of jeans, yes.
(DIR) Post #AWQoBeLrjpGgVe7Myu by p@freespeechextremist.com
2023-06-07T00:34:51.877983Z
2 likes, 0 repeats
@marine @graf @jeff @kirby One balls is like one jeans.
(DIR) Post #AWQqWlNN17KcHh16vI by graf@poa.st
2023-06-07T01:01:03.449153Z
4 likes, 0 repeats
@p @marine @jeff @kirby hi pete, i had a great day today i hope everybody ITT did as well:hug:
(DIR) Post #AWQqjgTmX9OsrXB2ci by marine@breastmilk.club
2023-06-07T01:03:24.809455Z
1 likes, 0 repeats
@graf @jeff @kirby @p well, I finally got my desk at work back and got to unpack my stuff thatās been packed up in cabinets for two months.
(DIR) Post #AWQrJfLQELKnlfQMpk by p@freespeechextremist.com
2023-06-07T01:09:55.705620Z
0 likes, 0 repeats
@graf @marine @jeff @kirby That is excellent, friend. It's only 18:09, my day is barely started.