@stefan I was adding my username to the end of the URL. I think that's when I got the error. Initially it didn't seem like putting just the domain was working/did anything. A later try and it worked just fine when putting in only the domain.
The defendant’s online moniker, which she has used consistently since 2002, bears a superficial resemblance to the former Twitter username of Anna’s Archive (point 22);
The defendant believes that libraries and archives should be “free and widely available” (point 23);
The defendant has experience with hosting website domains (point 25);
The defendant developed Python module for interacting with WorldCat APIs (point 26);
I setup a new instance a week or two ago, and have some subscriptions to communities on lemmy.world. The logs for the Lemmy process are currently showing a constant flood of warnings for what look like ordinary activity (likes, creates, undos, etc). Here are two recent entries:...
So far I’ve checked several “getting started”'s and FAQ’s and Google and everyone just tells me that it’s possible but nobody tells me fucking WHERE. So obviously I’m in need of help. Preferably with a diagram or colourful pictures....
Here is our regular update that explains what we have been working on for the past two weeks. This should allow average users to keep up with development, without reading Github comments or knowing how to program....
I just noticed your username. Thank you for the project, Feather is amazing. I have a question though. I know Ruckinum ran an analysis and thinks this is not a black marble flood, but I can’t help but think it’s a way go somehow break the anonymity of monero, whether just sent amounts, or received amounts, which would still give a wealth of information.
I don’t believe this is a random (D)DoS/spam. This is a deanon attack. I know it in my gut. I don’t know enough about the internals of monero but I think you might.
Specifically…
The bug was triggered when the number of RingCT outputs on the blockchain exceeded 100 million
For instance, this transaction was constructed using a manipulated output distribution. Can you determine what the true spend is? Notice that all ring members are older than 1y 200d except for one 6-day-old output. Unless the user checks the ring on a block explorer and knows what to look out for, they would not notice that their transactions are being fingerprinted.
My understanding is that the 16 (or 15+real?) rings are all real, prior transactions. Are the transactions reused? If not, then they exhaust the supply of rings and now have great statistical advantage going forward. If they are reused, then they can tell the real spend by discarding any spend that’s been used more than once. Is that correct?
I can’t help but believe this is part of something larger, along with all the previous attacks in the last 2 years and now Samourai, Liquid pulling out of US, attacks on tor, RISAA and mandatory KYC on US cloud providers and domain registrars…
On that note, we’ve known LE has tools for years now (Chainalysis and 1-2 others) that can in some circumstances give a lead on who a target is, likely via statistical analysis. The tools are only available to law enforcement so the methods aren’t known. My thoughts are, in no particular order:
They run or have compromised a lot of ‘activist’ nodes and xpubs are sent to the nodes in light wallets, unsure if this is how it works, or if that was unique to Samourai’s whirlpool design. If this was the case, light wallets use currently online available servers, so chances are a user connects their wallet to tens of servers. Users who run their own nodes would be unaffected but I think the majority of monero users use light nodes.
They have tools that monitor public ledger chains, and watch the amounts in/out. You use an exchange service to trade $500 of BTC to XMR, the amounts (fees included) are correlated over time, leading to known persons selling via KYC services. Probably least likely option but unsure how XMR works in depth.
They run and/or work with (gag order) no-KYC major services that would have that information, as well as other more ‘centralized’ helpful no-KYC exchange services that know exactly what amount and address the funds are going to and where they came from.
To do so, there would need to be a centralized or federated list of all accounts
Why would there be? The app would just search for the domain name first (let's say "aussie.zone") and then your username (in your case "hitmyspot"). That's kinda how email works as well. What centralized database would you need to interrogate a server on login? It's no different than the current implementation, only that you do not need to remember the website first, just enter the whole username in one go.
The domain for my email is gmail.com not Aussie zone. I also cannot log in to gmail on the hotmail (outlook? )site. Perhaps you are interpreting their request to not use username and site name and instead use email, to instead use a long form Lemmy username?
That could work, but I don’t know that it adds any extra layer of simplicity, but maybe that’s what they meant. My interpretation is that they are saying to link your account to your email address, as that’s what most other services do. Without knowing which instance you register with, there would need to be a registry. Perhaps this could be hashed in some way, but it would still be effectively public facing as any instance would need access.
Id like to move to Proton, but goodness are there no good usernames left. I’d have to go the custom domain route which isn’t awful but it’s just more effort
Using those usernames/profiles to look at the posts directly, I don't suppose there is anything that might detail what is going on?
Can you get me the full usernames including domains (e.g., PellyNews@blah.blah)? More info couldn't hurt when compiling the issue report.
The only thing I can think of is that maybe you are somehow "subscribed" to other domains because you follow some magazine/community there, and I am not, so the posts don't show up for me. That doesn't really make sense, but neither does anything else.
I did do a little searching for terms like "delete", "cache", and even "different", and didn't see this exact issue anywhere. The closest I found was this: https://codeberg.org/Kbin/kbin-core/issues/875 . It doesn't seem like a federation issue, though, since we are on the same instance. But, if you wanted to experiment further, you could try either downvoting or commenting on the spam to see whether that makes it visible to me.
Usernames on bluesky are domain names. Presumably, someone would be able to figure out arianagrande.freedomains.com is possibly not the real ariana grande.
This said, the system appears to incredibly strongly resist using a name on the banned names list through any mechanism. I am trying to set up test.bsky.runhello.com and failing miserably
That's not a correct interpretation of the permission:
Access your data for sites in the “named” domain
The extension could read the content of web pages you visit in the specified domain, as well as data you enter into those web pages, such as usernames and passwords.
It requires permission to modify said domains to remove the paywall from their articles.
Manitoba RCMP is warning the public about interac e-transfer scams that are becoming more prevalent. In these instances, the victim receives an email which appears to be from someone trying to send them an interac e-transfer. At first glance it appears legitimate and when the victim clicks on the link and enters in their banking...
This is one of the many reasons that banks should stop being hostile to password managers. Browser-integrated password managers significantly help protect against phishing because my username + password won’t auto-fill on the wrong domain. So I need to take my time and look up my password. Which will at the very least make me suspicious and give me extra time to consider what I am doing.
My friend Evan Henshaw-Plath wrote recently about some concerns with ActivityPub. I want to go over his concerns one by one and give some assessment of how accurate and important I think they are. Rabble’s words in italics; my responses in just normal text.
User identities are tied to a server. This is only partially true; your user identity is tied to a domain, not a server. But most servers only handle one domain, and most people don’t move their domains between servers. We have a section on domain portability between servers on the ActivityPub Data Portability report.
Using domains is also how much of the Internet works. Email addresses are tied to a domain; Web sites are tied to a domain. You can move the domain between different implementations transparently. It’s a really robust architecture that has stood the test of time for almost 50 years.
Users can’t migrate between servers. Partially true. Rabble covers the essentials; you can move followers and not much else. It’s also possible to move your “stuff” between identities; that’s most of what our Data Portability task force is working on.
On a single server, it is impossible to change your username! Somewhat true. ActivityPub identities are URLs like https://social.example/user/vtles1XgZkPUEulBsFmRX . That identity URL is immutable; you can’t change it. Some implementations include a username in that url, like https://other.example/user/evanp. With that kind of server software, it’s true, you can’t change the username.
Also, we use a standard called Webfinger that maps an identity string like username@domain to an URL. You can read about it in the ActivityPub Webfinger report. Some servers use that string, instead of the ActivityPub ID, as the unique ID for a remote user. That’s discouraged, but if someone does that, changing your user ID will make you no longer findable for those other servers. I think as we stabilize our use of WebFinger, some of these usages are going to get better.
Fediverse servers have total control over your account and data. True. This is the “federation” part of the fediverse. It’s how Web sites and email work. Don’t use a fediverse server without a good trust relationship with your server admin; ideally someone you have a business relationship with, or your employer, or your university. Same goes for email!
It also means that if you control your own server, you have total control over your account and data. That’s a feature, not a bug.
Another option is using a cooperative server, like cosocial.ca or social.coop. A cooperative is a legal structure in which members pay for and manage their own service. I think cooperatives are awesome.
The fediverse is a network of fiefdoms, each server admin having total control over their users. This seems about the same as the previous statement, but OK. I think the key strength of the fediverse here is that we can have dozens of different models for server governance — coops, enterprises, city libraries, family servers, individual servers. That level of experimentation is a feature, not a bug. Governance is not baked into the protocol.
Each kind of fediverse server is isolated. This one is just plain wrong. ActivityPub is based on an open data standard called Activity Streams 2.0 (AS2) which models social data. There is an extensive standard vocabulary that can represent Web content like text, images, video and audio, and the social graph, but also well-known social interactions like check-ins, events, and groups. More importantly, Activity Streams 2.0 is extensible, meaning you can add properties to existing types, or whole new types of objects or interactions. And every ActivityPub server is built to handle AS2.
What is true is that we have had a lot of servers that only handle a subset of the AS2 vocabulary, and reject content they don’t know how to handle. This is mostly due to mimicking the siloed social networks; we’ve gotten used to thinking of different social networks for different kinds of content. I think this is changing, especially as new kinds of content hit the network. Developers are just learning how to effectively handle extension content with fallback representations. I look forward to this improving over time.
The fediverse has no privacy; there is no system of end-to-end encrypted messaging. The first part is false; you can mark your posts as followers-only, or directed to a single person, or a group of people. Servers enforce this privacy. You can also mark that you don’t want your public posts to be indexable or your public account to be discoverable.
However, the second part is true; we don’t have end-to-end encryption. So, if you send a private message to someone on another server, you message can be read by both your admin and their admin. It’s stored in the clear on both servers. This is also how email works, as well as most direct messages on commercial social networks. However, it’s something worth working on. I’ve sketched out an architecture for end-to-end encryption over ActivityPub, and I’ve got a proposal out to work on it for Summer of Protocols. I think it will be good to level this up!
The fediverse has no system for micropayments. This is true. The fediverse is also first and foremost for social networking — connecting to friends, family, colleagues and neighbours. Most of these interactions are not mediated by payment; in fact, payment cheapens those interactions.
However, there are other relationship types on the fediverse — supporting creators, journalists, or publishers. The main way to do this today is with paid subscriptions; for example, you can subscribe to evanplus@prodromou.pub to get access to premium content I publish. You have to send me US$5 out-of-band or I won’t approve the follow; that’s the state of play right now on the fediverse.
I think in-band payments are kind of cool for this kind of work, as well as for marketplaces — buying and selling services or goods over the fediverse. I think the easiest structure is adding payment URLs like a PayPal account, or blockchain wallets like a Bitcoin Lightning address.
Lastly, and most importantly for me, the culture of fediverse server admins and developers is vindictive. I don’t think this is the case; I love the culture of the fediverse, which is playful, conversational, and collaborative.
I think there are a plenty of good points in Rabble’s critique, but there’s one way that I think he’s extremely wrong. There is still a lot to do in the ActivityPub ecosystem, but we have the architecture and extension mechanisms to make them possible. It’s totally not required to go start a whole new social protocol to build those things in from scratch. In fact, it’s a real mistake; it’s far better to work from the existing standard and build on it. Open standards like ActivityPub have a legitimacy that ad hoc systems like Nostr can never have, and it’s the reason that there is so much interesting development going on in the ActivityPub world.
Nostr is part of the fediverse. I'm posting this right now on Nostr and you're reading in on the attractive.space mastodon server. I'm a big fan of the fediverse and thankful for everything it has done to make an open social media protocol a reality. You'll be able to see some of the posts of creators and journalists on nostr directly in your mastodon instance, but there's a bunch it doesn't and can't support.
There are a lot of things that Mastodon & ActivityPub can’t do.
User identities are tied to a server; if the server goes down, you lose your account, as happened when queer.af had their domain name seized.
Users can’t migrate between servers. In some servers there’s a system where they can request a migration, where they can stop using one account and point their followers to a new account, but server admins need to allow this, and your followers don’t automatically follow your new identity on a new server.
On a single server, it is impossible to change your username!
Fediverse servers have total control over your account and data; they can see all of your private messages or write new ones on your behalf.
The fediverse is a network of fiefdoms, each server admin having total control over their users. Often they are benevolent and use their power to decide what behavior is acceptable on their server, but it’s opaque. Most fediverse server admins keep their moderation and defederation decisions secret. So, users must choose a trust and safety regime without any understanding of the rules and how they’re enforced. When combined with the very limited ability to migrate between servers, only with server admin's permission, it’s a problem.
Each kind of fediverse server is isolated. You can use a Peertube instance to federate with other Peertubes for video, or Mobilizon for meetup-style events, or Pixelfed for Instagram-like photo sharing, or WriteFreely for blogs. But each of these is isolated. I need a new account on an instance of each of these servers. They all run the same protocol, but they aren’t actually interoperable. You can’t use a single fediverse identity with your profile and followers in Peertube, Mobilizon, WriteFreely, and Pixelfed. You need a totally separate account in each one. With Nostr, you can use dozens of apps all with your same identity, content, and followers.
The fediverse has no privacy; there is no system of end-to-end encrypted messaging. In Nostr, you can have private direct messages and even private groups that are encrypted. Nostr even supports encrypted private file sharing.
The fediverse has no system for micropayments. The zaps on Nostr enable easy ways to fund creators and journalists with either one-off tips or subscriptions to unlock paid content, like paid Substack newsletters or OF accounts.
Lastly, and most importantly for me, the culture of fediverse server admins and developers is vindictive. It’s a community that attacks people who make proposals or want to try out new ways of using the network. That is why there is no search, no ability to choose an algorithm, no private groups, no private messages, no system for payments, etc. Those have all been proposed or even built, but the fediverse culture has gone after those people, punishing them for suggesting new ways of doing things.
If you've ever looked at SSH server logs you know what I'm about to say: Any SSH server connected to the public Internet is getting bombarded by constant attempts to log in. Not just a few of them. A lot of them. Sometimes even dozens per second. And this problem is not going away; it is, in fact, getting worse. And attackers' behavior is changing.
The graph attached to this post shows the number of attempted SSH logins per day to one of @cloudlab s clusters over a four-year period. It peaks at about 3.4 million login attempts per day.
This is part of a study we did on our production system, using logs of more than 640 million login attempts, covering more than 1,500 hosts on our side and observing more than 840 thousand incoming IP addresses.
A paper presenting our analysis and a new, highly effective means to block SSH brute force attacks ("Where The Wild Things Are: Brute-Force SSH Attacks In The Wild And How To Stop Them") will be presented next week at #NSDI24 by @sachindhke . The full paper is at https://www.flux.utah.edu/paper/singh-nsdi24
@SoniEx2@cloudlab@sachindhke An excellent question that I can only speculate on right now, in part because our study only covers IPv4, and in part because I expect the landscape to change, but it's hard to predict exactly how.
In the short term, switching ssh and other services to #IPv6 only will likely reduce the brute force attacks you see by a lot. Our data suggests that attackers are hitting the IPv4 space at random, which is a perfectly good strategy for the relatively dense IPv4 space, but a terrible strategy for the gigantic IPv6 space. If I were an attacker doing brute force, I'd stick to the IPv4 space that's easy and has plenty of targets.
However, let's consider more sophisticated attackers, and/or a future world where we've moved entirely to IPv6. There are lots of things you can do to cut down the scanning space. Most IPv6 space is not even allocated, so you can just skip that. You can focus on specific prefixes used by large ISPs and cloud providers to increase your hit rate. You can use information about the way some devices use MAC addresses to generate part of their public address to target popular NIC and or IoT vendors. You can keep track of live IP addresses based on observed connections (eg. scan everyone who connects to your website.) You can try to enumerate DNS domains to look for targets (most DNS servers try to prevent this, but there are all kinds of attacks on DNS). You can share lists of the live addresses you find. And these are just off the top of my head, I'm sure people have come up with plenty more already, and will find plenty more in the future.
So, will we eventually reach a point where IPv6 scanning is as effective as IPv4 scanning is today? It seems unlikely, but scanning the entire IPv4 space in minutes seemed unlikely not too long ago. So in the long term, I wouldn't bet on security that depends on IPv6 being hard to scan. I would expect that we'll all want to keep up the same strategies of using keys, blocking attackers that we detect, etc.
One thing I would expect is for the patterns to change: right now acquiring a target is easy, so attacks that just try once and move on are common. On IPv6 - both now and in the future - I'd expect that the difficulty of finding targets means that once you find one, you're going to try a lot more usernames and passwords on it.
You only need one per website if you want it to autofill the username, because resident keys held on the security token can be recognized and suggested automatically but otherwise you must first enter your username on the website and let the website send its challenge value for the corresponding domain and account pair so that your security token can respond correctly.
@robb Yes I did use my email address, because I was not sure what exactly my username was, because I used my custom domain for that. For the time being, I’ve setup a URL redirect using the StopTheMadness Safari extension
Constant warnings for what seems like ordinary activity
I setup a new instance a week or two ago, and have some subscriptions to communities on lemmy.world. The logs for the Lemmy process are currently showing a constant flood of warnings for what look like ordinary activity (likes, creates, undos, etc). Here are two recent entries:...
Okay, I give up. How do I user-block instances?
So far I’ve checked several “getting started”'s and FAQ’s and Google and everyone just tells me that it’s possible but nobody tells me fucking WHERE. So obviously I’m in need of help. Preferably with a diagram or colourful pictures....
Lemmy Development Update 2024-05-11
Here is our regular update that explains what we have been working on for the past two weeks. This should allow average users to keep up with development, without reading Github comments or knowing how to program....
Review of the XMR.ID stagenet test (get.xmr.id)
The test for improved XMR ID sign-ups has concluded on stagenet and the form is now active for mainnet-registrations of “real” XMR ID’s at xmr.id....
Incident report: Denial-of-Service (Feather Wallet) (featherwallet.org)
Explains in detail why Feather versions 2.6.5 and below are no longer able to send transactions....
I think we should slightly rethink how login works on most Fediverse apps (Mastodon, Lemmy, but not only)
A while ago I posted a thread back on the...
Once you commit there is no going back (i0.wp.com)
Why I ditched Gmail for Proton Mail (www.androidpolice.com)
OC Banning spam accounts
Banning spam accounts on kbin.social is a cumbersome affair....
Bypass Paywalls Clean is back online (twitter.com)
RCMP warn public of interac e-transfer banking scams (pembinavalleyonline.com)
Manitoba RCMP is warning the public about interac e-transfer scams that are becoming more prevalent. In these instances, the victim receives an email which appears to be from someone trying to send them an interac e-transfer. At first glance it appears legitimate and when the victim clicks on the link and enters in their banking...
Big Tech passkey implementations are a trap | Proton (proton.me)
Big Tech has implemented passkeys in a way that locks users into their platforms rather than providing universal security...