Feel free to argue with facts. Hardening systems is my job.
troed
HW/FW security researcher & Demoscene elder.
I started having arguments online back on Fidonet and Usenet. I’m too tired to care now.
- 0 Posts
- 84 Comments
Joined 2 years ago
Cake day: June 12th, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
This is not “the correct answer”. There’s absolutely nothing wrong with “exposing” SSH.
A few replies here give the correct advice. Others are just way off.
To those of you who wrote anything else than “disable passwords, use key based login only and you’re good” - please spend more time learning the subject before offering up advice to others.
(fail2ban is nice to run in addition, I do so myself, but it’s more for to stop wasting resources than having to do with security since no one is bruteforcing keys)
31·6 days agoThere are still server softwares our there that are going to be exposing people’s private Mastodon posts.
You could’ve saved yourself a lot of typing there by just admitting to claiming things you actually didn’t know.
If you know of other ActivityPub servers that expose private posts the same way I suggest you make a responsible disclosure to the developers.
I don’t know of any, but you claim they exist so …
You have absolutely no idea what “responsible” in “responsible disclosure” means :) It’s completely irrelevant how Mastodon has implemented private posts when it comes to how Dansup handled the issue, knowing what the effects were.
You don’t, when told of a vulnerability, handle it in a way that cause harm if it can be avoided.
Read more, post less. I’ve said nothing about any spec violation. That’s not relevant.
hahahahaha
Watch and try again ;) I post under my real name.
https://www.cve.org/CVERecord?id=CVE-2024-44754
https://www.youtube.com/watch?v=ZbKLAjPYOEg
Feel free to post less and read more.
It has everything to do with ActivityPub since if you follow that protocol strictly you will cause this behavior. It still doesn’t change that Dansup was told that this caused Bad Things™ and yet he didn’t follow normal procedure in how you handle it.
Vulnerabilities don’t need to be buffer overflows.
/cybersec researcher
Regardless whether you want to pretend that not caring about Mastodon is a valid defense when implementing software using the ActivityPub protocol, that still doesn’t change anything regarding how Dansup handled the disclosure of the effects it had.
Yes, necessarily.
Importantly, your Mastodon or GoToSocial instance isn’t handing your private posts to any random server, just because it asks. The problem only becomes apparent when you have at least one legit accepted follower from a Pixelfed server
The private account would still need to accept a follower from that rogue instance.
You might have a very different definition of “average Discord user” than the average Discord user.
Matrix is a decentralized platform with the same level of security/encryption as Signal. Being decentralized you can run your own server, and chat with others on other servers.
It supports groups, voice, streams etc - similar to Discord/Slack/Teams etc.
Open source. Multiple different server and client implementations. Mobile platforms, “all” operating systems, and with bridges so you can have your IRC, Telegram, Slack, FB Messenger etc channels go to your Matrix account/server.
Are you using the dockerized version? If so it sets up (a) database etc.
How large is large? A few hundreds? Not seeing any performance issues.
Telegram is not a secure messenger.
Yes to multiple platforms, groups etc.
Well if you have a VPS then installing the dockerized Synapse just takes a few minutes.
Might be that I simply don’t believe you as well. I also know a few people running Matrix servers besides myself (Synapse as well as Conduit) and ever since Sliding Sync and clients that support it (Element X, not Element etc) this issue simply doesn’t exist.
Still no. Here’s the reasoning: A well known SSHd is the most secure codebase you’ll find out there. With key-based login only, it’s not possible to brute force entry. Thus, changing port or running fail2ban doesn’t add anything to the security of your system, it just gets rid of bot login log entries and some - very minimal - resource usage.
If there’s a public SSHd exploit out, attackers will portscan and and find your SSHd anyway. If there’s a 0-day out it’s the same.
(your points 4 and 5 are outside the scope of the SSH discussion)