Posts by null@puddle.town
(DIR) Post #AQsMiNxkWlXXEimLQW by null@puddle.town
2022-12-22T08:39:35Z
1 likes, 0 repeats
@tinker @valkyrie"At that point, you're only worried about your own content."I have to disagree. It may be counterintuitive, but the way media storage works with Federation, your single-user instance is storing a copy of every blob it comes across.Simple example: someone you follow on your quiet little instance boosts (reblogs) something illegal. It's in your media storage now.Complex example: you've joined a public relay in an effort to pull more content into your timeline. Now you're exposed to all sorts of things that are instantaneously, often without you noticing, pushed into media storage... maybe an S3 bucket with a third-party provider. Maybe they're scanning for bad content and catch something. Who's on the hook?I have my own single-user instance, and after less than a month, I have over 100 GB of media stored. I honestly have no idea what's in there, and that gives me pause.
(DIR) Post #ARIGOjO9bsrwdql0PA by null@puddle.town
2023-01-04T05:41:46Z
0 likes, 2 repeats
It's trivial to determine the real IP of a Mastodon server behind Cloudflare. All it takes is one well-crafted request:https://gist.github.com/cutiful/4f36da3ed37b24f9a7106064393f5e7fI wonder how many instance admins using Cloudflare know about this? My hunch is most do not, because the primary justification I see for using Cloudflare here is DDoS protection.Cloudflare won't help if the attacker knows your origin IP, and you can't hide that with Cloudflare alone, due to the nature of ActivityPub.#MastoAdmin #InfoSec
(DIR) Post #ARIGOkikemwIm1Oy9I by null@puddle.town
2023-01-04T05:49:49Z
0 likes, 0 repeats
There may be other good reasons to use #Cloudflare. You get a global CDN for free, to name a big one.I'm curious what other admins think, and what the motivations are for using it.I should note, I'm not ideologically opposed to Cloudflare. I use it elsewhere. I'm more interested in the technical side of it as I consider whether it makes sense to use for my own instance.#MastoAdmin
(DIR) Post #ARWcxpeqs7j9UrLhNQ by null@puddle.town
2023-01-10T23:10:55Z
0 likes, 1 repeats
Mastodon is hiring a DevOps engineer. This might be a good role for one of you #MastoAdmin. Pay is low for the job but it's for a non-profit and a good cause. 🐘 https://jobs.ashbyhq.com/mastodon/290fd40f-125e-41fc-942d-f4ce59e6bda2
(DIR) Post #ARjJhEdCGOvar7TMsi by null@puddle.town
2023-01-17T07:54:01Z
0 likes, 1 repeats
One of my favorites, but I can't find the original artist. Anyone know? #pixelart
(DIR) Post #ARjK675BSxXogSQUaW by null@puddle.town
2022-12-29T03:55:31Z
0 likes, 0 repeats
Playground by Pixel Jeff #pixelart
(DIR) Post #ASCGV9b2UYWzUGqhMW by null@puddle.town
2023-01-31T07:15:47Z
0 likes, 1 repeats
The DoS attack against mastodon.online and mastodon.social is not very sophisticated. The attacker is using Digital Ocean to send various HTTP requests from multiple IP addresses at the same time. It's enough to exhaust Nginx worker connections. The useragents are spoofed. That's basically it. #ActivityPub #DDoS #InfoSec
(DIR) Post #ASVrAcEXD63FXgUHC4 by null@puddle.town
2023-02-09T19:22:12Z
0 likes, 0 repeats
Samsquanch
(DIR) Post #ASXQgVLI3cnKzTY3km by null@puddle.town
2023-02-10T09:20:27Z
0 likes, 0 repeats
It looks like a bad actor is using activitypub-proxy for block evasion. The package description is very specific as to its purpose:https://socket.dev/npm/package/activitypub-proxyI think the takeaway (for me at least) is to block these domains:anemoneya.mehomunyan.comnemoneya.meshitposter.clubshrimpcam.pwOriginal post: https://puddle.town/@null/109839571095716330Thanks @panther_modern for the pointers.#FediBlock #MastoAdmin #InfoSec
(DIR) Post #ATQMM2Nb7wLbbXYZt2 by null@puddle.town
2023-03-08T22:16:38Z
0 likes, 0 repeats
@tinker awk -F',' 'NR==FNR{a[$1]=$2; next} {print $0","a[$2]}' file2.csv file1.csv
(DIR) Post #AU4FylWSZfzaUh6yqu by null@puddle.town
2023-03-28T03:24:20Z
0 likes, 1 repeats
Apple added proper content previews for Mastodon links in iMessage. Neat.https://www.macrumors.com/guide/ios-16-4-new-features/
(DIR) Post #AUJYJGq0ZBMpA1UICm by null@puddle.town
2023-04-04T06:32:13Z
1 likes, 1 repeats
Ancestors by Kenze Wee #pixelart
(DIR) Post #AVT8P6AhNxlwiJxhUu by null@puddle.town
2023-05-09T03:20:33Z
0 likes, 1 repeats
"Zuckerberg misled everyone, burned tens of billions of dollars, convinced an industry of followers to submit to his quixotic obsession, and then killed it the second that another idea started to interest Wall Street.""There is no reason that a man who has overseen the layoffs of tens of thousands of people should run a major company. There is no future for Meta with Mark Zuckerberg at the helm: It will stagnate, and then it will die."-- Ed Zitron
(DIR) Post #AVTcoaG8oxBKCSFNDs by null@puddle.town
2023-05-08T19:42:34Z
0 likes, 0 repeats
@volkris @louis @downey I don't think it's fair to play grammar police on one message pulled from Discord. That entire channel is full of half-baked, poorly formatted stream-of-consciousness messages from everyone trying to type as fast as possible before the conversation moves on. Having said that, I don't agree with Gargron either. But I understand where he's coming from. This thing is his baby, and it hasn't taken off in comparison to other services, and I think it's rational to examine why.
(DIR) Post #AVTcobWq6M8I8X4DtA by null@puddle.town
2023-05-08T19:43:51Z
0 likes, 0 repeats
@volkris @louis @downey and I think we all have to agree: user onboarding has been a problem. Maybe not for us, specifically, but for a lot of people. At the very least, it's caused friction and confusion. We see that clearly in some of the news coverage of Mastodon. Once that narrative is out there, it's hard to overcome.
(DIR) Post #AVbJA7fbLteA5FpPtI by null@puddle.town
2023-05-13T03:22:05Z
1 likes, 0 repeats
After Rain by Pixel Jeff #pixelart
(DIR) Post #AVyPjVkckzTdVtxUR6 by null@puddle.town
2023-05-24T06:55:39Z
0 likes, 0 repeats
I'm skeptical of passkeys because the current implementations rely on big tech companies to store those secrets. Namely, Google and Apple. Do I have to explain why this is a bad idea?1Password support is coming, and I'm sure other 3rd party password managers will follow, and while I think this is better than using Apple or Google, it's still problematic.
(DIR) Post #AVyPjWrkbyluyIIhBQ by null@puddle.town
2023-05-24T06:58:59Z
0 likes, 1 repeats
Looking at Google's FAQ (https://developers.google.com/identity/passkeys/faq), it's all very reassuring, and I understand they claim end-to-end encryption of the passkeys. Let's assume that's true.You know what it still doesn't protect against? Google deleting your account on a whim.
(DIR) Post #AVyPjXkLL0RNhbqIHA by null@puddle.town
2023-05-24T07:02:37Z
0 likes, 0 repeats
Imagine you go all in on passkeys. You store it all in Google Password Manager. One day you wake up and they claim a ToS violation on your account, disable it without further explanation, and all your passkeys are toast.
(DIR) Post #AWxlPrEhtplQWiTiQi by null@puddle.town
2023-06-20T16:58:31Z
0 likes, 1 repeats
I think instance admins should leave it to their users to block #Meta (or not). All the tooling is already there; it's very easy for a user to block an entire domain.As a user, I will definitely block.