@blake@infosec.town

blake

@blake@infosec.town

A software developer with a passion for the powers, rights, and freedoms of users. Developer of dahliaOS, LucidLog, Bodacious, and more. Sometimes tries to design and write. Cool tech enthusiast.

Likely to post about #FOSS, #FreeSoftware, and #OpenSource (specifically, my various projects), radio stuff, and some other technology-related stuff. For my climate activism and solarpunk adjacent stuff, see my alt account linked below.

  • I hereby opt in my public posts to be searchable on tootfinder
  • My profile picture is not up to date, even though I just took some for this purpose
  • Recovering from being a lot of bad things, still have more to go. Keep me in check please

This profile is from a federated server and may be incomplete. Browse more on the original instance.

blake, to random

My Bridge Wizard now includes support for Bridgy Fed's ATProto-ActivityPub bridge in both directions! It tells you briefly how to opt in, and warns you that it might not work as expected.

blake, to random

decided to look into (the Tim Berners-Lee related one) and, why the hell isn't it in everything by now, or at least able to be?!

Like, why can't I have my files on a Solid pod show up in Nautilus yet?!

In particular, I think it might be really great for a "metaverse passport," a common ID that would include a display name and avatars, and you could potentially use Solid's existent profile and friends stuff too.

blake, to fediverse

idea: a honeypot MITM instance that server admins/mods can use to report who is accessing specific instances. Admins can use that to get rid of problematic users to begin with instead of letting them bring Nazi bullshit onto their instance.

blake, to random

I kinda wish #iceshrimp and/or #sharkey had a tumblr-style queue, I have a ton of unrelated Thoughts but don't want to spam the timeline with them.

It could work if there was a Iceshrimp/Sharkey compatible external client and if they had support for the post scheduling APIs (or just ran in the cloud).

blake, to random

I'm considering starting a new project (yes, I know), an External Component that is a full MIX implementation -- particularly including MIX-MUC, crucial for backwards compatibility.

At this point I'd only do it with a sponsorship or grant or some such. I don't want to take on the responsibility and sacrifice my free time for it just for it to blow up in my face, I'd much rather have some support structure in place.

blake, to random

Oh hey #xmpp people, if you know of a bot I can debug my ad-hoc commands and data forms implementations against, let me know... I'm going to need one.

blake, to random

I can't believe the Verge used AI to write half an article about Brother printers and SEO. At the same time, they did it so right.

www.theverge.com/2024/4/2/24117976/best-printer-2024-home-use-office-use-labels-school-homework

blake, to random

The Threads hate is reasonable.

I even agree with it.

And yet I choose to federate with it, under careful supervision and with no hesitation to block at the user level (which I have done several times, with brands).

That's because I'm a cishet white man. I face little threat from Threads.

If I can put this another way: I'm on the team that can try to get "good" Threads users to come over here, like the Green brothers and Joe Biden (people I want to hear from). For many, many other people, the risks outweigh this, so they'll choose to block Threads, which is a valid choice and for them is the correct one, far and away.

Harassment over it is not the answer and will solve nothing.

blake, to random

After seeing how the XZ maintainer's burnout and mental health decline was exploited to the potential detriment of the whole world, we're totally going to be supporting our developers more, right guys? We're totally going to fund critical OSS and pay maintainers enough to hire on other maintainers to take the burden off of them and reduce burnout, right? Right?

blake, to random

Has anyone tried checking against known symbols to see what mismatches? Any differences in these differences between 5.6.0 and 5.4.5 (I expect there should be)?

I would do this but I don't know how.

blake, to fediverse

app idea: voice/audio oriented. so, kinda like Pixelfed but for audio. The idea is that it's entirely voice-navigable and accessible too, maybe uses text-to-speech to read text notes, maybe use speech-recognition to create a transcript of the note and set it as the alt text. Maybe even stick a native mobile app with it and have it run when the phone's locked until you stop interacting with it or swipe off the app, so you can use it through your headphones, earbuds, or what have you. I feel like the blind or visually impaired might like this, as well as anyone who doesn't want to stare at a screen all the time.

blake, to random

Cloudflare's captcha hasn't been working for me. Which means I'm now locked out of my bank account on my computer. What the hell

blake, to random

I'm beginning to think that the (Mastodon/ActivityPub) Fediverse actually can't be what we're trying to make it (i.e. the definitive social web). Mastodonians are so brazenly hostile towards things like search and quote posting that would help everyone from Black people calling out impostors to experts offering helpful commentary, and bridges that bring more people on¹, and towards anyone who knowingly or not violates the norms. If you bully everyone off the Fediverse, nobody's going to be here. You'll have your little sheltered corner and that's it. So many respectable people have been bullied off of here, to the point that Threads and Bluesky with all of their moderation problems are more comfortable to them.

We also just don't have the tools necessary to effectively expel hate or control spam. (Or rather, we do, but they're not added in or deployed really anywhere.) Instead, we have feudal forum admins who ban everyone they disagree with, cutting thousands of people off from their friends at a whim. Even corporate moderation isn't this bad.

Defederation culture is already making Fedi unusable for pretty much fucking everyone -- like COVID, everyone knows someone who's been defederated, and there's a pretty good chance you have been or will be defederated too. And once it's happened, there's no going back to how it was before.

Plus, our software is built for the old web where federation was the norm, not the new web many people are used to. This makes it very confusing for newcomers and old-timers alike. This is probably the one real advantage Nostr has. Bluesky kinda does this but they're mostly a centralized silo (for now) so maybe they don't count for this point.

The unfortunate thing about having a world that could be whatever you want is that nobody can agree on what it should be.

¹ I totally understand the problems with this; my point was that blocking so many people from joining is counterproductive. See my points about the software and the moderation tools.

blake, to random

this is almost certainly calling out Firefish (and maybe Iceshrimp)...

RE: shonk.social/notes/9ptz6p70vgt4002z

blake, to random

Recently I've noticed a lot of moderative issues that have (potential) solutions and mitigations.
The spam issue, as @devnull pointed out, could be reduced with some kind of reputation system (although doing that in a federated environment could prove difficult).
I've said numerous times we could really use some kind of approval-based federation (I propose both "newly discovered instances must be approved" and "newly discovered users from specific instances must be approved"). This is something between block-by-default and allow-by-default. Maybe you could let lookups from a logged-in local user bypass these, too.
It was either @hrefna or someone else, I forget, who said treating the "replies" collection as the definitive collection of replies would enable moderating or restricting replies to a post.
I think the available time and attention is probably being well spent but these things probably deserve more time and attention than something like quote posts.

blake, to random

I went outside and thought up a system of "Federation protection levels." When applied "globally," it applies to all undiscovered/unapproved instances and controls whether they can be added. Approval of an instance involves setting its protection level. When applied at the "(remote) instance" level, it applies to a specific instance, similar to the existing "suspend" and "silenced/limited" actions, which should remain as they also do different things. The most specific level always applies; so if a level is applied to an instance, that instance is unaffected by the "global" level. Note that this system is designed for Mastodon's simplicity principles and more advanced software should adopt more granular controls.

Maybe I'll turn this into a blog post later with more details.

Platinum - Maximum protection

  • (When set at the "global" level:) Incoming activities from newly discovered instances are completely ignored and must be added manually (allow-list federation).
  • (When set at the "global" level:) Authorized Fetch (HTTP signatures) are enforced. Unknown signatures are not checked and are automatically denied/dropped (as if interacting from a suspended instance).
  • Newly discovered actors are completely ignored, along with their posts, and also must be added manually by administrators or moderators
  • Media from unknown remote instances is completely blocked
  • (When set at the "global" level:) Boosts of posts by unknown users or users from unknown instances are ignored.
  • (When set at the "instance" level:) Boosts of posts by unknown users from this instance are ignored.
  • Follow requests are forced ON for follows from the remote instance.
  • A severe rate limit is applied to all affected remote instances.

Gold - Elevated protection

  • (When set at the "global" level:) Newly discovered instances are flagged for approval.
  • (When set at the "global" level:) Authorized Fetch (HTTP signatures) are enforced.
  • Newly discovered actors are flagged for approval. They are allowed to publish and subscribe, under the limitations from the protection level.
  • A strict rate-limit is applied.
  • Incoming notes from users/accounts from this instance who are not followed by a local user/account are dropped.
  • (When set at the "global" level:) Boosts of posts by unknown actors or users from unknown instances are only federated if the booster is followed locally.
  • (When set at the "instance" level:) Boosts of posts by unknown actors from this instance are only federated if the booster is followed locally.
  • Media is cached/proxied only when directly posted by locally followed actors.
  • Direct messages from an actor A to an actor B which does not follow actor A are dropped (or maybe hidden away somewhere).
  • Follow requests are forced ON for follows from the remote instance.

Silver - Medium protection

  • (When set at the "global" level:) Newly discovered instances are flagged for approval. They are allowed to publish and subscribe, under the limitations from the protection level.
  • (When set at the "global" level:) Authorized Fetch (HTTP signatures) are enforced.
  • Newly discovered users/accounts are flagged for approval. They are allowed to publish and subscribe, under the limitations from the protection level.
  • Direct messages from an actor A to an actor B which does not follow actor A are dropped (or maybe hidden away somewhere).

Bronze - Minimal protection
This is the only protection level available today.

  • (When set at the "global" level:) Authorized Fetch (HTTP signatures) are not enforced; that is, you are able to look up any public post simply by not including the relevant headers.
blake, to random

I feel so bad for this guy who's spent months and months working on this cool new thing he's so proud of and agonizing over how to make the least amount of people mad as possible and his entire audience save a few cis white men hate him and block him and his cool toy for it.

blake, to random

Not all things need to be federated. Wikis probably shouldn't be openly federated (although closed federation a la IRC and pushing to mirrors isn't a terrible idea). Forums can get away with not being federated. Both should probably support something like IndieAuth to make it far simpler to participate, though.

blake, to random

Well now we know what Fediverse server software has a 9.8/10 severity vulnerability... and now we're just waiting for them to haggle over putting out the fix!

blake, to rust

Maybe something I can try for the purpose of learning is setting up a real-time communication channel in (i.e. a socket that the web UI could use to show real-time information, typing indicators, etc). Maybe it's too easy or too hard... I also have an audio processing project I intend on doing in Rust but I haven't managed to get myself to do that yet.

Also, I still want to have NodeBB. It might become affordable for a lot more communities that way! There's a request lodged for it in their feedback thing but there's currently no indication they plan on adding it.

blake, to random

The finishing blow to firefish.social has been made: it now simply gives up and returns 503. Sure there's more decay past this point, like at some point it won't hit anything and at some point the DNS will stop resolving and at some point the IP will stop resolving but there's no Firefish left on firefish.social.

🫡

blake, to forum

A that takes on would have to:

  • Have some kind of real-time interface. The chat-like style Spectrum.chat used was great for this (apart from Spectrum (source linked) being slow as hell).
  • Provide plenty of single sign-on. IndieAuth on by default could be a big help.
  • Have a cheap/free (at least sponsor open-source projects to be free), dead-simple way to host your own

Other nice-to-haves:

  • Fediverse support of some kind.
  • Integration with Discord (hell, using Discord's forums, and bi-directional! It's possible with Discord's API, last I checked).
blake, to random

Friendly reminder that the US is actually on the metric system, it's just that there's just a handful of official cases that haven't converted (highway signs and meteorology), and a shitton of old people who can't be arsed to learn shit.

The highway signs would cost a shit ton of money and time to replace, and then you have to do education too. I assume there's a similar excuse for the National Weather Service to still be using Fahrenheit and (nautical) miles in its official material, but I haven't heard it.

blake, to random

Something New on The Mystery Signal on 155.52 MHz: it came on, kept repeating two patterns (we'll call them "data", the random-looking one, and "pause", the one that comes out like a bunch of straight or wavy lines on the waterfall), occasionally cut off and started the preamble tones again and kept going, until it broke the pattern, sent something with longer data and shorter pauses, and then cut off.

Usually, the "pause" is quite short, but during this transmission, it was almost the same length as the "data" portions.

Also, in SSB or DSB modes, the outro tone sounds like a DTMF tone. The intro tones don't, I think, although the first of the three intro tones is the same as the outro tone.

I should have recorded that long burst to see if the restarts were a specific time apart or something.

blake, to random

STOP BUILDING LUXURY CARS/HOUSES

NOBODY CAN AFFORD THEM

"Oh let me pay a million dollars for a fucking closet because there's nowhere else to go!"

THEY HAVE PLAYED US FOR ABSOLUTE FOOLS

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • kavyap
  • DreamBathrooms
  • tacticalgear
  • magazineikmin
  • khanakhh
  • everett
  • Youngstown
  • mdbf
  • slotface
  • rosin
  • ethstaker
  • InstantRegret
  • thenastyranch
  • JUstTest
  • ngwrru68w68
  • cisconetworking
  • cubers
  • osvaldo12
  • modclub
  • GTA5RPClips
  • tester
  • Durango
  • provamag3
  • anitta
  • Leos
  • normalnudes
  • lostlight
  • All magazines
    •