Also FWIW this is all my fault for writing shitty vulnerable code 🤣 So blame me! I’m sorry 🙏

FWIW I’m still trying to find the the cause of the mult-GB avatars that both @stigatle@yarn.stigatle.no and @abucci@anthony.buc.ci ’s pods were both teying yo download. The flaw has since been fixed in the code but I’m still trying to investigate the source 🤞

@bender@twtxt.net Hehe 🤣

Hmmm something happened last night at ~3am (AEST) that decrased traffic to my pod quite considerably… Hmmm? Anyone have any ideas? 💡

Radxa X4 with Intel Alder Lake-N Processor and 2.5GbE LAN Now Available for Preorder
Radxa X4 with Intel Alder Lake-N Processor and 2.5GbE LAN Now Available for Preorder ⌘ Read more

On my blog: Real Life in Star Trek, Hero Worship https://john.colagioia.net/blog/2024/07/25/hero-worship.html #scifi #startrek #closereading

@bender@twtxt.net haha funny! though i just realized my ISP is the only one with fiber pulled to the property so i would have to get a phone line from them some how. The other ISP in the area is basically a mobile hotspot.

We received the abuse report below regarding network abuse from the IP address indicated.
On researching I see that HTTPS (tcp 443) traffic is continuing and originating from you NAT IP address 100.64.x.x
This was further found to be originating from your firewall/router at 192.168.x.x (MAC D8:58:D7:x:x:x).
This abuse is continuing and constitues a violation of [ISP] Acceptable Use Policy and Terms of Service.
Please take action to identify the source of the abuse and prevent it from continuing.
Failure to stop the abuse may result in suspension or cancellation of service.

Thank you,

@xuu@txt.sour.is wow, not cool.

he emailed my ISP about causing logging abuse. This is the only real ISP in my area, its gonna basically send me back to dialup.

@xuu@txt.sour.is For what reason?

Hey so.. i just got an email from my ISP saying they will terminate my service. Did i break something @abucci@anthony.buc.ci ?

@abucci@anthony.buc.ci No worries! All in the name of better reliability and security 😅

@stigatle@yarn.stigatle.no Thanks! Sooo cold 🥶

@stigatle@yarn.stigatle.no no problems 👌 one problem solved at least 🤣

@prologic@twtxt.net sleep well!

@stigatle@yarn.stigatle.no @prologic@twtxt.net my /tmp is also fine now! Thanks for your help @prologic@twtxt.net!

Anyway, I’m gonna have to go to bed… We’ll continue this on the weekend. Still trying to hunt down some kind of suspected mult-GB avatar using @stigatle@yarn.stigatle.no ’s pod’s cache:

$ (echo "URL Bytes"; sort -n -k 2 -r < avatars.txt | head) | column -t
URL                                                                                                       Bytes
https://birkbak.neocities.org/avatar.jpg                                                                  667640
https://darch.neocities.org/avatar.png                                                                    652960
http://darch.dk/avatar.png                                                                                603210
https://social.naln1.ca/media/0c4f65a4be32ff3caf54efb60166a8c965cc6ac7c30a0efd1e51c307b087f47b.png        327947
...

But so far nothing much… Still running the search…

@prologic@twtxt.net @abucci@anthony.buc.ci my /tmp is fine now, no avatars there. I have to drive my daughter to a birthday party now, but I keep things running and I’ll check when I get back.

Out of interest, are you able to block whole ASN(s)? I blocked the entirely of teh AWS and Facebook ASN(s) recently.

@abucci@anthony.buc.ci Oh 🤣 Well my IP is a known subnet and static, so if you need to know what it is, Email me 😅

@abucci@anthony.buc.ci Seems to be okay now hmmm

@abucci@anthony.buc.ci Hmm I can see your twts on my pod now 🤔

@abucci@anthony.buc.ci yeah I can see it :)

@abucci@anthony.buc.ci / @abucci@anthony.buc.ci Any interesting errors pop up in the server logs since the the flaw got fixed (unbounded receieveFile())? 🤔

Hmmm 🧐

for url in $(jq -r '.Twters[].avatar' cache.json | sed '/^$/d' | grep -v -E '(twtxt.net|anthony.buc.ci|yarn.stigatle.no|yarn.mills.io)' | sort -u); do echo "$url $(curl -I -s -o /dev/null -w '%header{content-length}' "$url")"; done
...

😅 Let’s see… 🤔

@prologic@twtxt.net will do, thanks for the tip!

@stigatle@yarn.stigatle.no The one you sent is fine. I’m inspecting it now. I’m just saying, do yourself a favor and nuke your pod’s garbage cache 🤣 It’ll rebuild automatically in a much more prestine state.

@prologic@twtxt.net you want a new cache from me - or was the one I sent OK for what you needed?

That was also a source of abuse that also got plugged (being able to fill up the cache with garbage data)

Ooof

$ jq '.Feeds | keys[]' cache.json | wc -l
4402

If you both don’t mind dropping your caches. I would recommend it. Settings -> Poderator Settings -> Refresh cache.

@prologic@twtxt.net No worries, thanks for working on the fix for it so fast :)

@stigatle@yarn.stigatle.no Thank you! 🙏

@prologic@twtxt.net here you go:
https://drive.proton.me/urls/XRKQQ632SG#LXWehEZMNQWF

@stigatle@yarn.stigatle.no Ta. I hope my theory is right 😅

@prologic@twtxt.net thank you. I run it now as you said, I’ll get the files put somewhere shortly.

But just have a look at the yarnd server logs too. Any new interesting errors? 🤔 No more multi-GB tmp files? 🤔

@stigatle@yarn.stigatle.no You want to run backup_db.sh and dump_cache.sh They pipe JSON to stdout and prompt for your admin password. Example:

URL=<your_pod_url> ADMIN=<your_admin_user> ./tools/dump_cache.sh > cache.json

@prologic@twtxt.net so, if I’m correct the dump tool made a pods.txt and a stats.txt file, those are the ones you want? or do you want the output that it spits out in the console window?

Just thinking out loud here… With that PR merged (or if you built off that branch), you might hopefully see new errors popup and we might catch this problematic bad feed in the act? Hmmm 🧐

@slashdot@feeds.twtxt.net I thought Sunday was the hottest day on Earth 🤦‍♂️ wtf is wrong with Slashdot these days?! 🤣

if we can figure out wtf is going on here and my theory is right, we can blacklist that feed, hell even add it to the codebase as an “asshole”.

@stigatle@yarn.stigatle.no The problem is it’ll only cause the attack to stop and error out. It won’t stop your pod from trying to do this over and over again. That’s why I need some help inspecting both your pods for “bad feeds”.

@prologic@twtxt.net I’m running it now. I’ll keep an eye out for the tmp folder now (I built the branch you have made). I’ll let you know shortly if it helped on my end.

@abucci@anthony.buc.ci / @stigatle@yarn.stigatle.no Please git pull, rebuild and redeploy.

There is also a shell script in ./tools called dump_cache.sh. Please run this, dump your cache and share it with me. 🙏

I’m going to merge this…

@abucci@anthony.buc.ci Yeah I’ve had to block entire ASN(s) recently myself from bad actors, mostly bad AI bots actually from Facebook and Caude AI

Or if y’all trust my monkey-ass coding skillz I’ll just merge and you can do a git pull and rebuild 😅

@stigatle@yarn.stigatle.no / @abucci@anthony.buc.ci My current working theory is that there is an asshole out there that has a feed that both your pods are fetching with a multi-GB avatar URL advertised in their feed’s preamble (metadata). I’d love for you both to review this PR, and once merged, re-roll your pods and dump your respective caches and share with me using https://gist.mills.io/

@prologic@twtxt.net yeah I still do have that issue, I compiled latest main, did not apply any patches or anything like that.

@stigatle@yarn.stigatle.no I’m wondering whether you’re having the same issue as @abucci@anthony.buc.ci still? mulit-GB yarnd-avatar-*1 files piling up in /tmp/? 🤔

@prologic@twtxt.net yeah, I ran out of space again. also have the activitypub stuff turned off (just so you know).

@abucci@anthony.buc.ci So… The only way I see this happening at all is if your pod is fetching feeds which have multi-GB sized avatar(s) in their feed metadata. So the PR I linked earlier will plug that flaw. But now I want to confirm that theory. Can I get you to dump your cache to JSON for me and share it with me?

@abucci@anthony.buc.ci Yeah that should be okay, you get so much crap on the web 🤦‍♂️

@abucci@anthony.buc.ci sift is a tool I use for grep/find, etc.

What would you like to know about the files?

Roughly what their contents are. I’ve been reviewing the code paths responsible and have found a flaw that needs to be fixed ASAP.

Here’s the PR: https://git.mills.io/yarnsocial/yarn/pulls/1169

Monday Was Hottest Recorded Day on Earth: ‘Uncharted Territory’
World temperature reached the hottest levels ever measured on Monday, beating the record that was set just one day before, data suggests. From a report: Provisional data published on Wednesday by the Copernicus Climate Change Service, which holds data that stretches back to 1940, shows that the global surface air temperature reached 62.87F (17.15C), co … ⌘ Read more

@abucci@anthony.buc.ci I believe you are correct.

@abucci@anthony.buc.ci That’s fucking insane 😱 I know what code-paths is triggering this, but need to confirm a few other things… Some correlation with logs would also help…

Do you happen to have the activitypub feature turned on btw? In fact could you just list out what features you have enabled please? 🙏

These should be getting cleaned up, but I’m very concerned about the sizes of these 🤔

https://git.mills.io/yarnsocial/yarn/src/commit/983fa87d4ea17f76537e19714ad8a6d19ba9d904/internal/utils.go#L658-L670

Hah 😈

prologic@JamessMacStudio
Fri Jul 26 00:22:44
~/Projects/yarnsocial/yarn
 (main) 0
$ sift 'yarnd-avatar-*'
internal/utils.go:666:	tf, err := receiveFile(res.Body, "yarnd-avatar-*")

@abucci@anthony.buc.ci Don’t suppose you can inspect one of those files could you? Kinda wondering if there’s some other abuse going on here that I need to plug? 🔌

@abucci@anthony.buc.ci Hmm that’s a bit weird then. Lemme have a poke.

Hmm remove the cpu limits on this pod, not even sure why I had ‘em set tbh, we decided at my day job that setting cpu limits on containers is a bit of a silly idea too. Anyway, pod should be much snappier now 😅

@movq@www.uninformativ.de Oh nothing much 🤣 Just a bunch of folks running really old versions of yarnd that were susceptible to abuse on the open web 🤣

Hopefully you should see traffic die off a bit too as the /external endpoint is no longer externally abusable (get it) without being an authenticated user – which became problematic 🤦‍♂️ – The web is so fucking hostile 🤬

@abucci@anthony.buc.ci Hopefully it shouldn’t 🤞

@abucci@anthony.buc.ci Fuck that script 🤣 you’re good! Just follow the Build from Source docs 😅

Thinking we need to adapt the UI a little bit to something like this

@bender@twtxt.net I can see the same errors again hmmm 🧐 @stigatle@yarn.stigatle.no Did you run out of disk again? 😅

I had a play with LiveKit Agents Playground: KITT and I have to say it’s pretty impressive. Not the ChatGPT part of course, but the speech recognition and text to speech synthesis.

KITT is an AI voice assistant powered by LiveKit Agents, Deepgram, Eleven Labs, and ChatGPT. It is running on LiveKit Playground.

It’s too bad it relies on three cloud services, none of which can be run locally (with the exception of Ollama that you could replace the OpenAI component with).

@lyse@lyse.isobeef.org Man gotta love that sunset !!! So nice 😊

You should have the fancy new SPA-like UI too 😅 (just checked!)

@stigatle@yarn.stigatle.no No worries at all! 👌

@prologic@twtxt.net I got it working, I reinstalled go under home (instead of where go wiki tells me to install it), and pointed to that, as well as the variables you mentioned, that enabled me to compile it. deleted the old yarnd , and made sure I run the new one.
Thanks for the help (as always :) ).

@stigatle@yarn.stigatle.no Note that “Building From Source” is covered in the docs

@prologic@twtxt.net Ok, thank you, I’ll try that.

You are reminding me that I should cut a release soon™ so there are binaires you can just “download” and use for the platform of choice 😅

@stigatle@yarn.stigatle.no So make deps would have installed some tools in either $GOPATH/bin or $GOBIN. See which with go env. Chuck that in your $PATH and you’re good to run make server. Normally this would be something like:

GOBIN=$HOME/go/bin
GOPATH=$HOME/go
export GOPATH GOBIN
...

@prologic@twtxt.net I did that, and it returns no error.

`user@server:~/backup/yarn$ make deps

user@server:~/backup/yarn$ make server

/bin/sh: 4: minify: not found
/bin/sh: 5: minify: not found
/bin/sh: 6: minify: not found
make: *** [Makefile:84: generate] Error 127
`

@stigatle@yarn.stigatle.no Run make deps. I use a non-standard (written in Go) minify tool

@prologic@twtxt.net hm, I installed latest go (vps did not have that intalled), I then did make deps, then make server, when I use the last command it said minify was not installed, I assumed minify package was the one to get, but it fails with that. (debian).

@stigatle@yarn.stigatle.no Take a backup of the data dir in case I screwed something up 🙏

@stigatle@yarn.stigatle.no Sweet 👌

@stigatle@yarn.stigatle.no I think pods have become exploited over time so I’ve had to tighten up some feature like the external handler 😢

@prologic@twtxt.net Ok, I’ll get it updated today.

@prologic@twtxt.net Ok, good to know. So the issue is the same ‘avatar in tmp’ issue filling up the disk. I did not check the dates on the avatars there, but it worked fined earlier yesterday, and was full today, so it seems to be the same issue mentioned earlier on here. I’ll keep an eye on it. I have not updated yarnd for a while, so I run v 0.15.1.

@stigatle@yarn.stigatle.no Ahh! Please update to the latest main 🙏

@stigatle@yarn.stigatle.no Works now! 🥳

@lyse@lyse.isobeef.org @bender@twtxt.net try again please.

@prologic@twtxt.net hm, it seems to be full disk that’s the issue, same problem with the avatar in tmp it seems that’s mentioned earlier here. I deleted them now. I regained 33% space (9GB).

@prologic@twtxt.net hm, okay, not sure what to do with it though. If I remember correct - I’ve just forwarded the subdomain to yarnd’s port - and that’s it.

This is the config:

`server {

server_name yarn.stigatle.no;
location / {
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:8000;
    proxy_redirect off;
}`

@stigatle@yarn.stigatle.no It looks like your some kind of problem with the reverse proxy in front of yarnd? 🤔I ’m seeing this error: incomplete chunked encoding error(s) I don’t know anything about this though, tbh I’ve never seen this before myself 🤔”

@stigatle@yarn.stigatle.no I’m doing okay 👌 Busy with work as you can imagine, and still tinkering of course whenever I can spare a moment or two! 😅

@prologic@twtxt.net Thank you! How are you doing these days?

@lyse@lyse.isobeef.org hm, that’s weird, not sure what’s going on there to be honest.

For example this one that got fixed this year:

commit 4304ec7ea3c5df95e0ed82bfa292c9330e342f61
Author: James Mills <james@mills.io>
Date:   Mon Jan 24 00:10:33 2022 +0000

    Fix bug in DownloadImage() leaking termporary files for external avatar downloads (#746)