lyse
lyse.isobeef.org
 (7w ago)
In-reply-to » It's also (expectedly) in the feed file on disk:

@prologic@twtxt.net Yep. Doesn’t matter if JS in turned on or not. So it is somewhere hiding in the Go core. Some replacement going berserk, I’d say.

It happens to each bracketed text individually: https://lyse.isobeef.org/tmp/bracketed-text/triple.png

But then the question still is, why on earth does it happen to old twts, too? I’m getting into my code excavator.

⤋ Read More
prologic
twtxt.net
 (7w ago)
In-reply-to » @lyse As far as I know, they're still visible in the Web UI. Although, in the mobile app and youtube.com, I believe it tells you that the video isn't available without having to click on it. They don't tell you that in the RSS feed, and I agree; it gets annoying.

It’s also (expectedly) in the feed file on disk:

2024-08-04T21:22:05+10:00	[foo][foo=][foo][foo=]

⤋ Read More
prologic
twtxt.net
 (7w ago)
In-reply-to » @lyse As far as I know, they're still visible in the Web UI. Although, in the mobile app and youtube.com, I believe it tells you that the video isn't available without having to click on it. They don't tell you that in the RSS feed, and I agree; it gets annoying.

@lyse@lyse.isobeef.org Holy fucking shit! You’re right! You got me out of bed for this one, I spun my local dev instance and entered a Twt with [foo] and ended up with [foo][foo=][foo][foo=] wut da actual fuq?! 🤔

⤋ Read More
prologic
twtxt.net
 (7w ago)
In-reply-to » Hmm I see it! It's so obvious 🤦‍♂️ I smell an attack of some kind.

The reason I think this is some kind of attack is based on the repeated content and some of its uniqueness 🤔 This is so uncharacteristic if both victims 🤔

⤋ Read More
lyse
lyse.isobeef.org
 (7w ago)
In-reply-to » @lyse As far as I know, they're still visible in the Web UI. Although, in the mobile app and youtube.com, I believe it tells you that the video isn't available without having to click on it. They don't tell you that in the RSS feed, and I agree; it gets annoying.

Righto, @prologic@twtxt.net, I just checkout out current main of yarnd (commit 5101ec240ddb0e5e39809bf8a7b847508b3ac298) and ran make dev. After registering a user and logging in, I then entered a twt with double bracketed text (without the equal sign on the second one, though) and it was expanded into eight brackets. So, this is clearly a bug. Let me dig deeper.

I hope I zoomed in enough, so you can read the stuff on my screenshot: https://lyse.isobeef.org/tmp/bracketed-text/bug.png

⤋ Read More
lyse
lyse.isobeef.org
 (7w ago)
In-reply-to » Hmm I see it! It's so obvious 🤦‍♂️ I smell an attack of some kind.

@prologic@twtxt.net To clarify, I meant some kind of a cache poisoning attack using the gossipping mechanism to inject garbage on purpose. Not hijacked user accounts.

However, since this all relates to bracketed text, I do not find an attack of some sort very likely. It’s probably just a bug somewhere.

⤋ Read More
lyse
lyse.isobeef.org
 (7w ago)
In-reply-to » @lyse As far as I know, they're still visible in the Web UI. Although, in the mobile app and youtube.com, I believe it tells you that the video isn't available without having to click on it. They don't tell you that in the RSS feed, and I agree; it gets annoying.

@prologic@twtxt.net Here’s an attempt at an analysis: https://lyse.isobeef.org/tmp/bracketed-text/

I just set up a cronjob to fetch and analyze both feeds every six hours. I probably have to do some dedup, otherwise the list gets out of handy rather quickly.

⤋ Read More
prologic
twtxt.net
 (7w ago)
In-reply-to » @lyse As far as I know, they're still visible in the Web UI. Although, in the mobile app and youtube.com, I believe it tells you that the video isn't available without having to click on it. They don't tell you that in the RSS feed, and I agree; it gets annoying.

Hmm I see it! It’s so obvious 🤦‍♂️ I smell an attack of some kind.

⤋ Read More
prologic
twtxt.net
 (7w ago)
In-reply-to » @lyse As far as I know, they're still visible in the Web UI. Although, in the mobile app and youtube.com, I believe it tells you that the video isn't available without having to click on it. They don't tell you that in the RSS feed, and I agree; it gets annoying.

@lyse@lyse.isobeef.org This is really weird. Do you have an example of this bracketed text? Re peers, I’m aware of all the peers, nothing surprising there.

⤋ Read More
lyse
lyse.isobeef.org
 (7w ago)
In-reply-to » @lyse As far as I know, they're still visible in the Web UI. Although, in the mobile app and youtube.com, I believe it tells you that the video isn't available without having to click on it. They don't tell you that in the RSS feed, and I agree; it gets annoying.

And now, @bender@twtxt.net’s feed changed, too. Bracketed text got duplicated once again.

How do the feeds look on disk? Do they already contain this bracketed text?

For reference, I just placed a copy of the feed here: https://lyse.isobeef.org/tmp/bracketed-text/bender-2024-08-04-10-34.txt

I haven’t marked the changed twts by @mckinley@twtxt.net as read last time, so I don’t know if something changed there as well. In any case, current snapshot: https://lyse.isobeef.org/tmp/bracketed-text/mckinley-2024-08-04-10-39.txt

Yarnd gossipping might be the reason for the truncated stuff, @prologic@twtxt.net. Who are your peers? Any obvious broken yarnd version or even some kind of an attacker involved? But there must be something else broken in yarnd for the bracketed text to be duplicated.

⤋ Read More
movq
www.uninformativ.de
 (7w ago)
In-reply-to » A equivalent yarnc debug <url> only sees the 2nd hash Media

@prologic@twtxt.net In that screenshot (https://twtxt.net/media/7c3rEWveU64SAxrXZ6CDYS.png), all the bracketed stuff is duplicated again, compared to lyse’s original twt. I suspect that’s the cause for the changed hash.

I could not reproduce this by manually duplicating those text areas in lyse’s twt. I end up with the hash pjdciga instead, but I probably mistyped something.

⤋ Read More
prologic
twtxt.net
 (7w ago)
In-reply-to » @prologic Ah yes, the other Go reverse proxy. Caddy seems simpler to me, more like Nginx with better defaults and a built-in ACME client. Traefik seems to have way more bells and whistles for all kinds of crazy setups when I only need to map domain names to containername:port pairs.

@mckinley@twtxt.net That’s actually all I used it for myself 👌 All those other “bells ‘n whistles” are really just Traefik supporting lots of alternate setups and drivers for discovery, etc.

⤋ Read More
bender
twtxt.net
 (7w ago)
In-reply-to » The mobile autocomplete bug is something I can reproduce and likely fix soon™ -- I think its happenning because I accidentally nuked this pod's cache the other day (sorry!) 😢 -- But it is also a bug 🐛

@prologic@twtxt.net no worries! It pains me to find bugs in Yarn, though. I want it to be flawless, you know, like Microsoft Windows. 🤭

⤋ Read More
bender
twtxt.net
 (7w ago)
In-reply-to » @prologic I thought you were one of the people telling me how great it was. It is a Go project, after all. What do you usually use? I always find myself spending a lot of time making Nginx do what I want and I don't think I've ever had automatic certificate renewal work the first time.

@mckinley@twtxt.net Caddy is simpler and act as both, web server and a reverse proxy. Traefik is only—albeit on steroids—a reverse proxy.

⤋ Read More
bender
twtxt.net
 (7w ago)
In-reply-to » The end-to-end encryption means very little if you have your messages backed up in iCloud because the encryption keys are also stored with the messages in iCloud according to this FBI document. If that's the case, Apple can definitely read your messages as well as (obviously) any government agency who can make a legal request to Apple.

@mckinley@twtxt.net it is opt-in because all your devices logged into the same iCloud account need to be at a compatible level. You also have to have a designated recovery account member which, obviously, you need to manually add.

⤋ Read More
mckinley
twtxt.net
 (7w ago)
In-reply-to » The end-to-end encryption means very little if you have your messages backed up in iCloud because the encryption keys are also stored with the messages in iCloud according to this FBI document. If that's the case, Apple can definitely read your messages as well as (obviously) any government agency who can make a legal request to Apple.

@bender@twtxt.net That’s great, actually, but it’s a shame you have to opt in to it.

⤋ Read More
mckinley
twtxt.net
 (7w ago)
In-reply-to » @prologic I thought you were one of the people telling me how great it was. It is a Go project, after all. What do you usually use? I always find myself spending a lot of time making Nginx do what I want and I don't think I've ever had automatic certificate renewal work the first time.

@prologic@twtxt.net Ah yes, the other Go reverse proxy. Caddy seems simpler to me, more like Nginx with better defaults and a built-in ACME client. Traefik seems to have way more bells and whistles for all kinds of crazy setups when I only need to map domain names to containername:port pairs.

⤋ Read More
prologic
twtxt.net
 (7w ago)

The mobile autocomplete bug is something I can reproduce and likely fix soon™ – I think its happenning because I accidentally nuked this pod’s cache the other day (sorry!) 😢 – But it is also a bug 🐛

⤋ Read More
prologic
twtxt.net
 (7w ago)

As for @mckinley@twtxt.net ’s odd Twt, I only see one instance of this:

2023-01-09T22:42:37Z	(#dusjj6a) @<lyse https://lyse.isobeef.org/twtxt.txt> As far as I know, they're still visible in the Web UI. Although, in the mobile app and youtube.com, I believe it tells you that the video isn't available without having to click on it. They don't tell you that in the RSS feed, and I agree; it gets annoying.

If we had a custom feed generator that hooks directly into the YouTube API, I'll bet we could find that information and put "[Scheduled][Scheduled=][Scheduled][Scheduled=][Scheduled][Scheduled=][Scheduled][Scheduled=]" in the title for premieres and remove it when the video is available.

And I have no fucking clue how this happened. I can’t imagine anything in the yarnd codebase would be responsible for this weirdness 🤣

⤋ Read More
prologic
twtxt.net
 (7w ago)
In-reply-to » @prologic I thought you were one of the people telling me how great it was. It is a Go project, after all. What do you usually use? I always find myself spending a lot of time making Nginx do what I want and I don't think I've ever had automatic certificate renewal work the first time.

@mckinley@twtxt.net Nah it wasn’t me, trust me 🤣 I actually use Traefik for my ingres.

⤋ Read More
prologic
twtxt.net
 (7w ago)
In-reply-to » Definitely something going on here. Cloudflare is my main suspect.

I can’t explain this. I’m leaning towards a peering pod being responsible for producing a different hash, and twtxt.net pulling that in from a peer. But that would only happen if my pod doesn’t have the Root Twt ans asked its peers for it. And that implies other pods are producing incorrect/different hashes “somehow”. So all of that seems highly unlikely tbh.

⤋ Read More
mckinley
twtxt.net
 (7w ago)
In-reply-to » I finally gave in and tried out Caddy. It's about as great as everyone says it is.

All the “magic” might be nice in the short term, but as it becomes the default it can paper over some really questionable decisions when it’s too late to change them. This can be applied to a number of things in computing but the best example I can think of is networking. (Side note: That’s one of my favorite blog posts ever.)

Things start out simple and got more complicated until someone figures out how to cover up the mess. Then, since nobody wants to get in there and fix it properly and everyone else has already moved on, we just ignore what’s behind the curtain and hope it all keeps working.

⤋ Read More