Christopher Lemmer Webber @cwebber@octodon.social
GNU (MediaGoblin, 8sync, Guile, Guix) hacker, ActivityPub co-editor, occasional artist. https://dustycloud.org/
Giving chaperones a shot in Racket for the first time.
@szbalint @joeyh not sure if you saw the Guile vulnerability that we uncovered a while ago where live hacking sessions listening on localhost were vulnerable to confused deputy attacks through browsers and etc (notably, also activitypub instances that don't heed this advice) that allowed arbitrary code execution https://lists.gnu.org/archive/html/guile-user/2016-10/msg00007.html
localhost-only ain't
@szbalint @joeyh not sure if you saw the Guile vulnerability that we uncovered a while ago where live hacking sessions listening on localhost were vulnerable to confused deputy attacks through browsers and etc (notably, also activitypub instances that don't heed this advice) that allowed arbitrary code execution https://lists.gnu.org/archive/html/guile-user/2016-10/msg00007.html
localhost-only ain't
@joeyh once again the ocap people are right that "perimeter security is eggshell security"
(This is also why CORS is a failed security model)
@joeyh once again the ocap people are right that "perimeter security is eggshell security"
(This is also why CORS is a failed security model)
@cwebber localhost only is not good enough, and the full IP blacklist is quite hard (especially considering IPV6, 4-in-6 etc).
Remember the guy who made his garage door respond to GET requests..
@cwebber I was not sure how to really fit that credit in, but thanks for that
@cwebber btw you had some late-nite toots a while ago that got me thinking about this again
@joeyh oh really? Was it the one about bumping into Racket's http lib grabbing stuff from file:// by default? I was wondering if maybe you saw that and it influenced this but figured it was unlikely!
@joeyh If you're an ActivityPub implementor, you should *make sure your software is not vulnerable to these kinds of attacks*. The redirect one is especially tricky.
@joeyh If you're an ActivityPub implementor, you should *make sure your software is not vulnerable to these kinds of attacks*. The redirect one is especially tricky.
@joeyh posted about two security vulnerabilities he uncovered http://joeyh.name/blog/entry/two_security_holes_and_a_new_library/
Notably the ActivityPub appendix warns about these kinds of security vulnerabilities: don't fetch from uri schemes you don't know (be sure your http lib doesn't accept file://) and don't fetch from localhost (though sadly it's hard not to do this one... "localhost-only" is mostly doomed).
But Joey's post also points out that even if you filter out the scheme and localhost yourself, redirects may bite you
Wait, what. Windows 10 sends info on USB devices plugged in directly to Microsoft?
And it does that using pure HTTP?
https://pastebin.com/ttYp5rLg
You gotta be kidding me.
I dont accept ads, or aggressive brand/s accts or paid toots (I’ve been approached) but I do support free & #opensource programs. We have some amazing creative orgs represented on the #Fediverse thru 
#Mastodon’s super-scalable #ActivityPub implementation.
If you havent tried them then you’re missing out (a-z). U have control over ur social & creative lives w #FLOSS
@Blender
#DarkTable
@GIMP 
@inkscape 
@Krita
@ubuntustudio
Others?
Godwin's Law in the Age of Trump by... Godwin https://www.rstreet.org/2018/06/25/godwins-law-in-the-age-of-trump/
@kmicu that line of argument is not gonna help us. Free/open source software is both free *and* commercial. See http://blog.ieeesoftware.org/2016/04/dissecting-myth-that-open-source.html?m=1 . #art13 should go away also for commercial use in order for #FOSS to thrive.
I just helped to stop #CensorshipMachines that would filter ALL of our online content. You too can help to #SaveYourInternet: http://d.shpg.org/420107097t Contact your EU representative before 4 July!
@jorty la forge
@cwebber me: auuughhh it's so hot today
christopher lemmer webber: ah... it's so.... temperate here...
@Curator Mistakes happen, no worries. Anyway, looks like it isn't https://github.com/ephtracy/ephtracy.github.io/issues/17
