abucci

anthony.buc.ci

No description provided.

Recent twts from abucci

This year is a perfect square: 2025 = 45Ā². Most of us reading this at time of posting wonā€™t be alive next time that happens since 46Ā² = 2116, 91 years from now. This has been bouncing around the internet but for some reason I felt compelled to record it here!

ā¤‹ Read More
In-reply-to » There is a bug in yarnd that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like

A stopgap setting that would let me stop all calls to /external matching a particular pattern (like this damn lovetocode999 nick) would do the job. Given the potential for abuse of that endpoint, having more moderation control over what it can do is probably a good idea.

ā¤‹ Read More
In-reply-to » @mckinley He's signed up three times now even though I keep deleting the account, which is enough for me to permaban this person. I don't technically want open registrations on my pod but up till now I've been too lazy to figure out how to turn them off and actually do that, and there hasn't been a pressing need. I may have to now.

@lyse@lyse.isobeef.org Interesting. The yarnd --help currently says (for me):

  -R, --open-registrations            whether or not to have open user registgration

meaning it doesnā€™t give the default setting or warn you that you need to use -R=false and not -R false. It also leaves unclear whether --open-registrations false would work or if you need to do --open-registrations=false. Itā€™s also unclear whether the setting change in the user interface is overridden by the command line arguments, overrides the command line arguments, is persisted across restarts.

Maybe all this is worth posting an issue for additional documentation on the git repo if there isnā€™t one already.

ā€œregistgrationā€ is misspelled that way in the help by the way.

ā¤‹ Read More

There is a bug in yarnd thatā€™s been around for awhile and is still present in the current version Iā€™m running that lets a person hit a constructed URL like

YOUR_POD/external?nick=lovetocode999&uri=https://socialmphl.com/story19510368/doujin

and see a legitimate-looking page on YOUR_POD, with an HTTP code 200 (success). From that fake page you can even follow an external feed. Try it yourself, replacing ā€œYOUR_PODā€ with the URL of any yarnd pod you know. Try following the feed.

I think URLs like this should return errors. They should not render HTML, nor produce legitimate-looking pages. This mechanism is ripe for DDoS attacks. My pod gets roughly 70,000 hits per day to URLs like this. Many are porn or other types of content I do not want. At this point, if itā€™s not fixed soon I am going to have to shut down my pod. @prologic@twtxt.net please have a look.

ā¤‹ Read More
In-reply-to » šŸ‘‹ Hello @nigergibe, welcome to Buccipod, a Yarn.social Pod! To get started you may want to check out the pod's Discover feed to find users to follow and interact with. To follow new users, use the ā؁ Follow button on their profile page or use the Follow form and enter a Twtxt URL. You may also find other feeds of interest via Feeds. Welcome! šŸ¤—

@mckinley@twtxt.net Heā€™s signed up three times now even though I keep deleting the account, which is enough for me to permaban this person. I donā€™t technically want open registrations on my pod but up till now Iā€™ve been too lazy to figure out how to turn them off and actually do that, and there hasnā€™t been a pressing need. I may have to now.

ā¤‹ Read More
In-reply-to » @abucci / @abucci Any interesting errors pop up in the server logs since the the flaw got fixed (unbounded receieveFile())? šŸ¤”

@prologic@twtxt.net I donā€™t know if this is new, but Iā€™m seeing:

Jul 25 16:01:17 buc yarnd[1921547]: time="2024-07-25T16:01:17Z" level=error msg="https://yarn.stigatle.no/user/stigatle/twtxt.txt: client.Do fail: Get \"https://yarn.stigatle.no/user/stigatle/twtxt.txt\": dial tcp 185.97.32.18:443: i/o timeout (Client.Timeout exceeded while awaiting headers)" error="Get \"https://yarn.stigatle.no/user/stigatle/twtxt.txt\": dial tcp 185.97.32.18:443: i/o timeout (Client.Timeout exceeded while awaiting headers)"

I no longer see twts from @stigatle@yarn.stigatle.no at all.

ā¤‹ Read More
In-reply-to » @stigatle / @abucci My current working theory is that there is an asshole out there that has a feed that both your pods are fetching with a multi-GB avatar URL advertised in their feed's preamble (metadata). I'd love for you both to review this PR, and once merged, re-roll your pods and dump your respective caches and share with me using https://gist.mills.io/

@prologic@twtxt.net

./tools/dump_cache.sh: line 8: bat: command not found
No Token Provided

I donā€™t have bat on my VPS and there is no package for installing it. Is cat a reasonable alternate?

ā¤‹ Read More
In-reply-to » @stigatle / @abucci My current working theory is that there is an asshole out there that has a feed that both your pods are fetching with a multi-GB avatar URL advertised in their feed's preamble (metadata). I'd love for you both to review this PR, and once merged, re-roll your pods and dump your respective caches and share with me using https://gist.mills.io/

@prologic@twtxt.net Try hitting this URL:

https://twtxt.net/external?nick=nosuchuser&uri=https://foo.com

Change nosuchuser to any phrase at all.

If you hit https://twtxt.net/external?nick=nosuchuser , youā€™re given an error. If you hit that URL above with the uri parameter, you can a legitimate-looking page. I think that is a bug.

ā¤‹ Read More
In-reply-to » @stigatle / @abucci My current working theory is that there is an asshole out there that has a feed that both your pods are fetching with a multi-GB avatar URL advertised in their feed's preamble (metadata). I'd love for you both to review this PR, and once merged, re-roll your pods and dump your respective caches and share with me using https://gist.mills.io/

@prologic@twtxt.net Hitting that URL returns a bunch of HTML even though there is no user named lovetocode999 on my pod. I think it should 404, and maybe with a delay, to discourage whatever this abuse is. Basically this can be used to DDoS a pod by forcing it to generate a hunch of HTML just by doing a bogus GET like this.

ā¤‹ Read More
In-reply-to » @stigatle / @abucci My current working theory is that there is an asshole out there that has a feed that both your pods are fetching with a multi-GB avatar URL advertised in their feed's preamble (metadata). I'd love for you both to review this PR, and once merged, re-roll your pods and dump your respective caches and share with me using https://gist.mills.io/

Iā€™m seeing GETs like this over and over again:

"GET /external?nick=lovetocode999&uri=https://vuf.minagricultura.gov.co/Lists/Informacin%20Servicios%20Web/DispForm.aspx?ID=8375144 HTTP/1.1" 200 35861 17.077914ms

always to nick=lovetocode999, but with different uris. What are these calls?

ā¤‹ Read More
In-reply-to » @prologic 10 Gbytes has accumulated since I made that last post. It's coming in at a rate of 55 Mbits/second !

The vast majority of this traffic was coming from a single IP address. I blocked that IP on my VPS, and I sent an abuse report to the abuse email of the service provider. That ought to slow it down, but the vulnerability persists and Iā€™m still getting traffic from other IPs that seem to be doing the same thing.

ā¤‹ Read More
In-reply-to » @prologic 10 Gbytes has accumulated since I made that last post. It's coming in at a rate of 55 Mbits/second !

@prologic@twtxt.net There are a lot of logs being generated by yarnd, which is something I havenā€™t seen before too:

Jul 25 14:32:42 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:42 (162.211.155.2) "GET /twt/ubhq33a HTTP/1.1" 404 29 643.251Āµs
Jul 25 14:32:43 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:43 (162.211.155.2) "GET /twt/112073211746755451 HTTP/1.1" 400 12 505.333Āµs
Jul 25 14:32:44 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:44 (111.119.213.103) "GET /twt/whau6pa HTTP/1.1" 200 37360 35.173255ms
Jul 25 14:32:44 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:44 (162.211.155.2) "GET /twt/112343305123858004 HTTP/1.1" 400 12 455.069Āµs
Jul 25 14:32:44 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:44 (168.199.225.19) "GET /external?nick=lovetocode999&uri=http%3A%2F%2Fwww.palapa.pl%2Fbaners.php%3Flink%3Dhttps%3A%2F%2Fwww.dwnewstoday.com HTTP/1.1" 200 36167 19.582077ms
Jul 25 14:32:44 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:44 (162.211.155.2) "GET /twt/112503061785024494 HTTP/1.1" 400 12 619.152Āµs
Jul 25 14:32:46 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:46 (162.211.155.2) "GET /twt/111863876118553837 HTTP/1.1" 400 12 817.678Āµs
Jul 25 14:32:46 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:46 (162.211.155.2) "GET /twt/112749994821704400 HTTP/1.1" 400 12 540.616Āµs
Jul 25 14:32:47 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:47 (103.204.109.150) "GET /external?nick=lovetocode999&uri=http%3A%2F%2Fampurify.com%2Fbbs%2Fboard.php%3Fbo_table%3Dfree%26wr_id%3D113858 HTTP/1.1" 200 36187 15.95329ms

Iā€™ve seen that nick=lovetocode999 a bunch.

ā¤‹ Read More
In-reply-to » Hack of the day: running watch -n 60 rm -rf /tmp/yarn-avatar-* in a tmux because all of a sudden, without warning, yarnd started throwing hundreds of gigabytes of files with names like yarn-avatar-62582554 into /tmp, which filled up the entire disk and started crashing other services.

@prologic@twtxt.net Inspect? Whatā€™s sift? What would you like to know about the files?

ā¤‹ Read More
In-reply-to » Hack of the day: running watch -n 60 rm -rf /tmp/yarn-avatar-* in a tmux because all of a sudden, without warning, yarnd started throwing hundreds of gigabytes of files with names like yarn-avatar-62582554 into /tmp, which filled up the entire disk and started crashing other services.

@prologic@twtxt.net 10 Gbytes has accumulated since I made that last post. Itā€™s coming in at a rate of 55 Mbits/second !

ā¤‹ Read More
In-reply-to » Hack of the day: running watch -n 60 rm -rf /tmp/yarn-avatar-* in a tmux because all of a sudden, without warning, yarnd started throwing hundreds of gigabytes of files with names like yarn-avatar-62582554 into /tmp, which filled up the entire disk and started crashing other services.

@prologic@twtxt.net Iā€™m still getting this crap:

abucci@buc:~/yarnd/yarn$ ls -lh /tmp/yarnd-avatar-*
-rw------- 1 abucci abucci 863M Jul 25 14:19 /tmp/yarnd-avatar-1594499680
-rw------- 1 abucci abucci 7.8G Jul 25 14:19 /tmp/yarnd-avatar-2144295337
-rw------- 1 abucci abucci 9.8G Jul 25 14:19 /tmp/yarnd-avatar-2334738193
-rw------- 1 abucci abucci  10G Jul 25 14:14 /tmp/yarnd-avatar-2494107777
-rw------- 1 abucci abucci 9.5G Jul 25 13:59 /tmp/yarnd-avatar-2619243454
-rw------- 1 abucci abucci  11G Jul 25 14:04 /tmp/yarnd-avatar-2922187513
-rw------- 1 abucci abucci 7.5G Jul 25 14:14 /tmp/yarnd-avatar-349775570
-rw------- 1 abucci abucci  10G Jul 25 14:09 /tmp/yarnd-avatar-3640724243
-rw------- 1 abucci abucci 901M Jul 25 14:19 /tmp/yarnd-avatar-3921595598
-rw------- 1 abucci abucci 9.5G Jul 25 13:59 /tmp/yarnd-avatar-609094539
-rw------- 1 abucci abucci 9.3G Jul 25 14:04 /tmp/yarnd-avatar-755173392
-rw------- 1 abucci abucci 7.9G Jul 25 14:09 /tmp/yarnd-avatar-984061000

Something like 100 Gbytes of this junk has accumulated since I updated and re-started the server. Iā€™m now running the latest version of yarnd, so the update did not fix the problem. Something else is going wrong.

How are temporary files growing to 10 Gbytes in size? The name of the file is ā€œyarn-avatarā€, but why would avatars be so large?

ā¤‹ Read More
In-reply-to » Hack of the day: running watch -n 60 rm -rf /tmp/yarn-avatar-* in a tmux because all of a sudden, without warning, yarnd started throwing hundreds of gigabytes of files with names like yarn-avatar-62582554 into /tmp, which filled up the entire disk and started crashing other services.

@prologic@twtxt.net Alright, running yarnd 0.15.1 now. I stopped my hack so weā€™ll see if the VPS gets clogged with junk šŸ˜†

ā¤‹ Read More
In-reply-to » Hack of the day: running watch -n 60 rm -rf /tmp/yarn-avatar-* in a tmux because all of a sudden, without warning, yarnd started throwing hundreds of gigabytes of files with names like yarn-avatar-62582554 into /tmp, which filled up the entire disk and started crashing other services.

@prologic@twtxt.net

abucci@buc:~/yarnd/yarn$ make preflight
Checking Go version ...                 [ ERR ]
Go 1.16+ is required, found go1.22.5
FATAL: šŸ™ preflight failed
make: *** [Makefile:33: preflight] Error 1

šŸ¤”

ā¤‹ Read More
In-reply-to » Hack of the day: running watch -n 60 rm -rf /tmp/yarn-avatar-* in a tmux because all of a sudden, without warning, yarnd started throwing hundreds of gigabytes of files with names like yarn-avatar-62582554 into /tmp, which filled up the entire disk and started crashing other services.

@prologic@twtxt.net Aha, got it. Thanks for looking into it. Iā€™m updating now and weā€™ll see if that stops it.

ā¤‹ Read More
In-reply-to » Hack of the day: running watch -n 60 rm -rf /tmp/yarn-avatar-* in a tmux because all of a sudden, without warning, yarnd started throwing hundreds of gigabytes of files with names like yarn-avatar-62582554 into /tmp, which filled up the entire disk and started crashing other services.

@prologic@twtxt.net Sure, but why would this start happening all of a sudden today? Nothing like this has happened before. Is this a known bug?

ā¤‹ Read More
In-reply-to » Hack of the day: running watch -n 60 rm -rf /tmp/yarn-avatar-* in a tmux because all of a sudden, without warning, yarnd started throwing hundreds of gigabytes of files with names like yarn-avatar-62582554 into /tmp, which filled up the entire disk and started crashing other services.

@prologic@twtxt.net 0.15.1, looks like.

ā¤‹ Read More
In-reply-to » Hack of the day: running watch -n 60 rm -rf /tmp/yarn-avatar-* in a tmux because all of a sudden, without warning, yarnd started throwing hundreds of gigabytes of files with names like yarn-avatar-62582554 into /tmp, which filled up the entire disk and started crashing other services.

@bender@twtxt.net I hope so too. Iā€™ve never seen anything like this before. Whatever it is, itā€™s strange.

ā¤‹ Read More

Hack of the day: running watch -n 60 rm -rf /tmp/yarn-avatar-* in a tmux because all of a sudden, without warning, yarnd started throwing hundreds of gigabytes of files with names like yarn-avatar-62582554 into /tmp, which filled up the entire disk and started crashing other services.

ā¤‹ Read More
In-reply-to » @abucci Oh hey! šŸ‘‹

This is completely insane!

abucci@buc:/tmp$ du -sh /tmp/yarnd-avatar-*
564M    /tmp/yarnd-avatar-3024946878
7.2G    /tmp/yarnd-avatar-3122347915
11G     /tmp/yarnd-avatar-3533381443
445M    /tmp/yarnd-avatar-441914658

Iā€™m going to have to shut down my server soon. This looks like some kind of DDoS. Whether intentional or not itā€™s filling up the disk at an unsustainable rate.

ā¤‹ Read More
In-reply-to » @abucci Oh hey! šŸ‘‹

There are also a bunch of log messages scrolling by. Iā€™ve never seen this much activity in the log:

Jul 25 01:37:39 buc.ci yarnd[829]: [yarnd] 2024/07/25 01:37:39 (149.71.56.69) "GET /external?nick=lovetocode999&uri=https://pagez.co.uk/services/your-own-100-fully-owned-online-vi>
Jul 25 01:37:39 buc.ci yarnd[829]: [yarnd] 2024/07/25 01:37:39 (162.211.155.2) "GET /twt/112135496802692324 HTTP/1.1" 400 12 826.65Āµs
Jul 25 01:37:40 buc.ci yarnd[829]: [yarnd] 2024/07/25 01:37:40 (51.222.253.14) "GET /conv/muttriq HTTP/1.1" 200 36881 20.448309ms
Jul 25 01:37:40 buc.ci yarnd[829]: [yarnd] 2024/07/25 01:37:40 (162.211.155.2) "GET /twt/112730114943543514 HTTP/1.1" 400 12 663.493Āµs
Jul 25 01:37:40 buc.ci yarnd[829]: [yarnd] 2024/07/25 01:37:40 (27.75.213.253) "GET /external?nick=lovetocode999&uri=http%3A%2F%2Falfarah.jo%2FHome%2FChangeCulture%3FlangCode%3Den>
Jul 25 01:37:40 buc.ci yarnd[829]: time="2024-07-25T01:37:40Z" level=error msg="http://bynet.com.br/log_envio.asp?cod=335&email=%21%2AEMAIL%2A%21&url=https%3A%2F%2Fwww.almanacar.c>
Jul 25 01:37:40 buc.ci yarnd[829]: [yarnd] 2024/07/25 01:37:40 (162.211.155.2) "GET /twt/111674756400660911 HTTP/1.1" 400 12 545.106Āµs
Jul 25 01:37:40 buc.ci yarnd[829]: time="2024-07-25T01:37:40Z" level=warning msg="feed FetchFeedRequest: @<lovetocode999 http://alfarah.jo/Home/ChangeCulture?langCode=en&returnUrl>
Jul 25 01:37:41 buc.ci yarnd[829]: [yarnd] 2024/07/25 01:37:41 (162.211.155.2) "GET /twt/112507964696096567 HTTP/1.1" 400 12 838.946Āµs

Something really weird is going on?

ā¤‹ Read More
In-reply-to » @abucci Oh hey! šŸ‘‹

I deleted them all right before I sent my previous message, and already, a few minutes later, there are two more:

abucci@buc:~$ du -sh /tmp/yarnd-avatar-3*
1.8G    /tmp/yarnd-avatar-3122347915
2.4G    /tmp/yarnd-avatar-3533381443

What is this?

ā¤‹ Read More
In-reply-to » @abucci Oh hey! šŸ‘‹

@prologic@twtxt.net This is weird, but today, out of nowhere, yarnd filled up the disk on the VPS where I run it. Itā€™s never done anything like this before and I have no idea why it would start. But it threw almost 700 Gbytes of data into /tmp in files like this:

yarnd-avatar-1087570772  yarnd-avatar-1599127133  yarnd-avatar-2042956376  yarnd-avatar-2562946212  yarnd-avatar-3274766535  yarnd-avatar-3931929859  yarnd-avatar-553201529
yarnd-avatar-1089125452  yarnd-avatar-1606826819  yarnd-avatar-2089122560  yarnd-avatar-2611944556  yarnd-avatar-3310922372  yarnd-avatar-3938996661  yarnd-avatar-556240195
yarnd-avatar-1101228867  yarnd-avatar-1618755765  yarnd-avatar-2104107259  yarnd-avatar-2641384948  yarnd-avatar-3326285269  yarnd-avatar-3939402047  yarnd-avatar-559344463
yarnd-avatar-1112165824  yarnd-avatar-1650827505  yarnd-avatar-2142824779  yarnd-avatar-2680659340  yarnd-avatar-3340682113  yarnd-avatar-3998621883  yarnd-avatar-570292705
yarnd-avatar-1119886894  yarnd-avatar-1656673647  yarnd-avatar-2160786463  yarnd-avatar-271923479   yarnd-avatar-3374584613  yarnd-avatar-4005102536  yarnd-avatar-595490106
yarnd-avatar-1131417623  yarnd-avatar-1685698239  yarnd-avatar-2165405940  yarnd-avatar-2793562275  yarnd-avatar-3380606954  yarnd-avatar-4016872095  yarnd-avatar-679251850
yarnd-avatar-1160959085  yarnd-avatar-1746759128  yarnd-avatar-2171489899  yarnd-avatar-2842068287  yarnd-avatar-3416352997  yarnd-avatar-4110048378  yarnd-avatar-679950970
yarnd-avatar-1231649265  yarnd-avatar-1752278279  yarnd-avatar-2251317422  yarnd-avatar-2843868670  yarnd-avatar-3468636088  yarnd-avatar-4116552474  yarnd-avatar-737874628

164 files. Some are empty, some are 7 or even 10 Gbyte.

Any idea what would cause that? And why now, after running yarnd for so long with nothing like this happening?

ā¤‹ Read More
In-reply-to » Microsoft Outage Hits Users Worldwide, Leading To Canceled Flights Microsoft grappled with a major service outage, leaving users across the world unable to access its cloud computing platforms and causing airlines to cancel flights. From a report: Thousands of users across the world reported problems with Microsoft 365 apps and services to Downdetector.com, a website that tracks service disruptions. "We're inve ... āŒ˜ Read more

@movq@www.uninformativ.de This outage did affect me, though not much, via the university where my wife teaches and where I teach sometimes. They actually sent out an alert in their emergency alert system (the one they use to alert people of extreme weather events and bomb threats, mostly), telling people that all IT systems were down.

A friend of mine elsewhere pointed out that they pushed this change on a Friday, which of course no software developer with any experience would ever, ever, ever do. I have to assume thereā€™s some toxic management at CrowdStrike, but who knows. Even more reasons to sympathize with the poor folks who are probably going to be working nights and weekends to clean up this mess.

ā¤‹ Read More
In-reply-to » šŸ‘‹ Hello @hoorydrotrult, welcome to Buccipod, a Yarn.social Pod! To get started you may want to check out the pod's Discover feed to find users to follow and interact with. To follow new users, use the ā؁ Follow button on their profile page or use the Follow form and enter a Twtxt URL. You may also find other feeds of interest via Feeds. Welcome! šŸ¤—

@prologic@twtxt.net One of these days Iā€™ll turn off registrations

ā¤‹ Read More
In-reply-to » Regarding complexity budget, slow software, all that:

@movq@www.uninformativ.de Somewhere or another, I think in a William Byrd talk, I heard it suggested that the best ideas in computer science should fit on an index card (ah yes itā€™s this one: https://paperswelove.org/2017/video/will-byrd-most-beautiful-program/ ). He was referring to the basic principles of LISP/the lambda calculus, which have sometimes been called the Maxwellā€™s equations of computer programming (by Alan Kay). Simple, short, elegant, but very densely packed with meaningā€“generations of people have spent their whole careers unpacking what those simple rules can do.

Much of modern software feels like the polar opposite of that. Not only can you not write it on an index card, you never will be able to because people who write software donā€™t seem to aspire to try. I wish more people thought this way though!

ā¤‹ Read More
In-reply-to » Windows computers around the world are failing in a major outage An update to a piece of software called CrowdStrike Falcon Sensor appears to be negatively impacting Windows computers worldwide, with banks, airports, broadcasters and more finding that devices display a "blue screen of death" instead of booting up āŒ˜ Read more

@New_scientist@feeds.twtxt.net Itā€™s insane that a single botched software update can have worldwide impact. Weā€™ve messed up badly.

ā¤‹ Read More
In-reply-to » I think @abucci and @stigatle are running snac? I didnā€™t have a closer look at snac (no intention of running it), but if that is a relatively small daemon (maybe comparable to Yarn?) that gives you access to the whole world of ActivityPub, then, well, yeah ā€¦ Thatā€™s tough to beat.

@bender@twtxt.net I have nothing against GoToSocial, but:

GoToSocial stores statuses, accounts, etc, in a database. This can be either SQLite or Postgres.

snac is simpler. Some JSON files and thatā€™s it. I can read them with jq and less. I can use tar to back them up. I can hand edit them in a text editor.

ā¤‹ Read More
In-reply-to » Is Yarn.social dead or just too niche? (uyrrria) šŸ§

I think @abucci@anthony.buc.ci and @stigatle@yarn.stigatle.no are running snac? I didnā€™t have a closer look at snac (no intention of running it), but if that is a relatively small daemon (maybe comparable to Yarn?) that gives you access to the whole world of ActivityPub, then, well, yeah ā€¦ Thatā€™s tough to beat.

Yes, I am running snac on the same VPS where I run my yarn pod. I heard of it from @stigatle@yarn.stigatle.no, so blame him šŸ˜ snac is written in C and is one simple executable, uses very little resources on the server, and stores everything in JSON files (no databases or other integrations; easy to save and migrate your data) . Itā€™s definitely like yarn in that respect.

I havenā€™t been around yarn much lately. Part of that is that Iā€™ve been very busy at work and home and only have a limited time to spend goofing off on a social network. Part of it is that Iā€™m finding snac very useful: Iā€™ve connected with friends Iā€™d previously lost touch with, Iā€™ve found useful work-related information, Iā€™ve found colleagues to follow, and even found interesting conferences to attend. Thereā€™s a lot more going on over there.

I guess if I had to put it simply, Iā€™d say I have limited time to play and there are more kids in the ActivityPub sandbox than this one. Thatā€™s not a ding on yarnā€“I like yarn and twtxtā€“Iā€™m just time constrained.

ā¤‹ Read More
In-reply-to » Silicon Valleyā€™s top AI models are terrible at rebus wordplay puzzles Rebus puzzles provide wordplay challenges involving both images and text, and they can confound Silicon Valleyā€™s most powerful AI models āŒ˜ Read more

@New_scientist@feeds.twtxt.net Silicon Valleyā€™s top AI models are terrible at almost everything. They only seem otherwise because people are easily fooled into believing they have capabilities they donā€™t have.

ā¤‹ Read More
In-reply-to » World's richest 1% emit as much carbon as bottom two-thirds: report The richest one percent of the global population are responsible for the same amount of carbon emissions as the world's poorest two-thirds, or five billion people, according to an analysis published Sunday by the nonprofit Oxfam International. āŒ˜ Read more

@Phys_org@feeds.twtxt.net Weā€™re going to be killed by these peopleā€™s excesses, almost literally. This ratio is indefensible.

ā¤‹ Read More
In-reply-to » DeepMind AI can beat the best weather forecasts - but there is a catch By using artificial intelligence to spot patterns in weather data, Google DeepMind says it can beat existing weather forecasts up to 99.7 per cent of the time, but data issues mean the approach is limited for now āŒ˜ Read more

@prologic@twtxt.net I feel like my kid is a better weather predictor than most weather sites. He freaks out whenever the pressure drops and we know a storm is coming šŸ˜†

ā¤‹ Read More
In-reply-to » DeepMind AI can beat the best weather forecasts - but there is a catch By using artificial intelligence to spot patterns in weather data, Google DeepMind says it can beat existing weather forecasts up to 99.7 per cent of the time, but data issues mean the approach is limited for now āŒ˜ Read more

@xuu Right now theyā€™re laying the groundwork for uncritical belief in the power of #AI, so the next step will be accepting the magical incantations as if they were real.

ā¤‹ Read More
In-reply-to » DeepMind AI can beat the best weather forecasts - but there is a catch By using artificial intelligence to spot patterns in weather data, Google DeepMind says it can beat existing weather forecasts up to 99.7 per cent of the time, but data issues mean the approach is limited for now āŒ˜ Read more

@New_scientist@feeds.twtxt.net no it canā€™t. Your blurb is literally ā€œif we had data we canā€™t have, we could predict weather betterā€. DeepMind is irrelevant in that statementā€“anyone could.

ā¤‹ Read More

More data contradicting the existence of ā€œecho chambersā€. As Iā€™ve argued many times before, the concept of an echo chamber or information bubble is not real. The podcast below is an interview of an author of a study where they actually intervened and changed the information diet of 20,000 people (with consent!), then surveyed them after three months. They observed essentially no changes to the study subjectsā€™ beliefs and attitudes. They also observed that the typical person, while they tend to gravitate towards people with similar political leanings, only get about 50% of their content from such like-minded people. They get the rest from neutral sources and maybe 20% from non-like-minded people.

Varied information diet + No change in attitudes when information diet is forced to be different = no echo chamber.

Listen to the podcast episode here

ā¤‹ Read More
In-reply-to » How is everyone finding GitHub CoPilot? šŸ¤” Good / Bad ? šŸ¤”

@prologic@twtxt.net

  1. Itā€™s criminal: Copilot was only possible because of massive theft of other peoplesā€™ work (no compensation or even acknowledgement to any of the developers whose code was used to create Copilot)
  2. Itā€™s positioned to put software developers out of work or so fully de-skill them that they no longer know how to code anything but prompts (after which come corporate-justified salary and benefits decreases)

Donā€™t use it. No one should ever use it. Youā€™re destroying your own future as a software developer by leaning on and supporting these things.

ā¤‹ Read More

How Google Authenticator made one companyā€™s network breach much, much worse | Ars Technica

šŸ¤¦ā€ā™‚

WHY are these big companies treated as though they are the be all and end all of infosec? These are rookie mistakes Googleā€™s making, at scale.

Unfortunately Google employs dark patterns to convince you to sync your MFA codes to the cloud, and our employee had indeed activated this ā€œfeatureā€. If you install Google Authenticator from the app store directly, and follow the suggested instructions, your MFA codes are by default saved to the cloud. If you want to disable it, there isnā€™t a clear way to ā€œdisable syncing to the cloudā€, instead there is just a ā€œunlink Google accountā€ option.

Like, never ever put your multi-factor tokens into a single cloud storage location! The whole point of this being ā€œmultiā€ factor is that there is a separate, independent physical factor involved in the authentication process. If the authenticator app on your phone puts the tokens in the cloud, then it reduces the security that comes from having a second factor. This is basic stuff.

Of course, never ever use Google Authenticator. All it does is generate TOTP and HOTP codes, which you can do with any OTP app, preferably an open source one thatā€™s been vetted.

ā¤‹ Read More

How Google Authenticator made one companyā€™s network breach much, much worse | Ars Technica

šŸ¤¦ā€ā™‚

WHY are these big companies treated as though they are the be all and end all of infosec? These are rookies errors theyā€™re making, at scale.

Unfortunately Google employs dark patterns to convince you to sync your MFA codes to the cloud, and our employee had indeed activated this ā€œfeatureā€. If you install Google Authenticator from the app store directly, and follow the suggested instructions, your MFA codes are by default saved to the cloud. If you want to disable it, there isnā€™t a clear way to ā€œdisable syncing to the cloudā€, instead there is just a ā€œunlink Google accountā€ option.

ā¤‹ Read More
In-reply-to » I guess I'm read for bed. Instead of grep -rin foo I just typed rm -rf foo. What the heck, brain!? O_o Luckily, I just caught it before hitting Enter.

@mckinley@twtxt.net I do the ls thing regularly. I even do it after Iā€™ve already lsed the directory but have run some other command afterwards. I tend to think of it like the LOOK command in text adventures.

ā¤‹ Read More
In-reply-to » Experts warn 'green growth' in high income countries is not happening, call for 'post-growth' climate policies The emission reductions in the 11 high-income countries that have "decoupled" CO2 emissions from Gross Domestic Product (GDP) fall far short of the reductions that are necessary to limit global warming to 1.5Ā°C or even just to "well below 2Ā°C" and comply with international fairness principles, as required by the Paris Agreement, according to a paper published in The Lancet Planetary Health j ... āŒ˜ Read more

@Phys_org@feeds.twtxt.net Green growth was always horseshit and everyone knows it.

ā¤‹ Read More
In-reply-to » In setting up my own company and it's internal tools and services and supporting infrastructure, the ony thing I haven't figured out how to solve "really well" is Email, Calendar and Contacts šŸ˜¢ All the options that exist "suck". They suck either in terms of "operational complexity and overheads" or "a poor user experience".

@prologic@twtxt.net I use the gmail webapp for work, and I have to say that over the years itā€™s gotten less and less usable. There are so many little usability things that itā€™s bad at. For instance, if you select a message and hit the Delete key nothing happens. The message is not put in the trash like youā€™d expect. There are issues like that scattered all over the app. I suspect they spend most of their energy on the spyware side of gmail and dedicate less to making it a useful app for end users (which seems to be true of their search engine too).

ā¤‹ Read More
In-reply-to » @adi @prologic It's worth bearing in mind that

@adi@twtxt.net I think it is, and one benefit they have is that you can add third-party repositories to the F-Droid app as you discover them. So, for instance, if you know of a developer who pushes builds to an F-Droid compatible repository, you can add that to your F-Droid app and start tracking updates like you would for any other app in there. Canā€™t do that with Google Play!

F-Droid tends to focus on open source applications that can be built in a reproducible way, which limits the inventory (though of course tends to mean the apps are safer and donā€™t spy on you). There are non-free apps in there as well but they come with warnings so youā€™re informed about what you might be sacrificing by using them.

That said if you have a favorite app you get through Google Play, thereā€™s a decent chance it wonā€™t be in F-Droid. Many ā€œbig corporateā€ apps arenā€™t, and vendor-specific apps tend not to be either. But for most of the major functions you might want, like email clients, calendar apps, weather apps, etc etc, there are very good substitutes now in F-Droid. Youā€™re definitely making a trade-off though.

What I did was go through the apps I had installed on my last phone, found as many substitutes in F-Droid as I could, started using those instead to see how they worked, and bit by bit replaced as much as I could from Google Play with a comparable app from F-Droid. I still have a few apps (mostly vendor-specific things that donā€™t have substitutes) that come from Google Play but Iā€™m aiming to be rid of those before I need to replace this phone.

ā¤‹ Read More
In-reply-to » @adi oh yeah, no doubt. I just like to keep an eye on these things because I hate being blindsided.

@prologic@twtxt.net yeah, itā€™s true. Thing is, Linux as a desktop operating system sucked in 1996 yet I adopted it then anyway because I wanted nothing to do with MS anymore šŸ˜† I know itā€™s not for everyone but Iā€™m pretty tolerant of a less-than-stellar experience if it means I can be free of big-company garbage.

I havenā€™t tried a Linux-based smartphone OS in a long time so I donā€™t have any idea how bad/good it might be. I figure when I finally break down and get a new phone Iā€™ll experiment on my current phone.

ā¤‹ Read More
In-reply-to » @adi @prologic It's worth bearing in mind that

@adi@twtxt.net @prologic@twtxt.net F-droid. Getting APKs from developers you trust and side-loading them. Some flavor of Linux. Some distro of the open source parts of Android.

There are lots of options. Bit by bit I divest from anything thatā€™s distributed from Google Play. With my latest phone I find and download APKs so that I could have the app without all the Google crap woven through it. By the time I need to replace this one Iā€™ll be fully free of Google Play. Most of my apps come from F-droid now. You can a perfectly functional phone/pocket computer unless youā€™re addicted to installing dozens of corporate apps.

ā¤‹ Read More
In-reply-to » @adi @prologic It's worth bearing in mind that

@prologic@twtxt.net Iā€™ve had a Teracube phone for about 3 years now. Theirs comes with a guarantee of 4 yearsā€“if something thatā€™s covered breaks, you send the phone to them and they fix it and send it back, or they send you a new one. I took advantage of that last year when the screen broke; their tech support even helped me figure out how to wipe the phone when the screen didnā€™t display anything. Pretty painless all around. Have to say Iā€™ve been very happy with it. It doesnā€™t have the top-end features that new big company phones have, but I donā€™t want those features so thatā€™s not an issue for me. I dunno if itā€™s available in Australia or if itā€™s just a US thing.

ā¤‹ Read More