Patrick Figel ๐Ÿฃ is a user on mastodon.at. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

Patrick Figel ๐Ÿฃ @pfigel@mastodon.at

Me whenever I see tech people trying to interpret GDPR somewhere online:

Here's a version of the block list you can dump in your nginx to get rid of the bots:

gist.github.com/patf/1ae99fdd1

The advantage of using nginx here instead of your firewall/iptables is that you'll have an easier time checking for false-positives in logs (in case I fucked up); the bots follow a predictable pattern (GET / then GET /auth/sign_up) while real traffic would stand out.

cc @Gargron

Here's a slightly revised CIDR list that seems to cover all the IPs used by the spammers so far:

gist.github.com/patf/1ae99fdd1

(some CIDRs are redundant because they're from different sources)

Hopefully that'll do for now.

Definitely looks like a spam campaign. So far all accounts signed up from the same ISP. Here's a script you can paste in your rails console to find all users from IP ranges belonging to that ISP (assuming I didn't miss any):

gist.githubusercontent.com/pat

To get to the rails console, run this in /home/mastodon/live as the mastodon user:

RAILS_ENV=production bundle exec rails c

You might also want to temporarily ban those IP ranges if the sign-ups don't stop. I did.

Anyone else seeing spammy-looking signups from QUALITYNETWORK IP ranges?

Not deploying a simple HTTP header, something that literally every website security scan out there would flag, is apparently not a sign of crappy security practices, folks.

It's quite telling that infosec people are mostly talking about DNSSEC and what not instead of being like "Wait, you're telling me a cryptocurrency wallet handling millions every day did not deploy HSTS?"

No one's even surprised anymore.

Oh for fuck's sake, OpenSSL. Just when I was starting to think they'd finally gotten their shit together

TFW you're looking for XSS and accidentally find RCE

#Pinafore v0.2.0 is out!

- new "Sorcery" theme by @mlcdf
- block/unblock accounts
- mute/unmute accounts
- CSP for better security
- fix emojos in CWs
- perf and UI fixes

Release notes: github.com/nolanlawson/pinafor toot.cafe/media/HoUCsRuVey9LKq

#Pinafore v0.1.4 is out:

- hit Ctrl-Enter / Cmd-Enter to post a toot
- new Cobalt dark theme
- bugfixes

Thanks very much @SpankyWorks @codl @chris ! github.com/nolanlawson/pinafor

Mastodon.at now provides an alternative web interface via Pinafore. If the regular web interface sometimes feels a bit slow for you, or if you simply prefer a single-column client, you can give it a shot here: light.mastodon.at/

For more details on Pinafore, see: nolanlawson.com/2018/04/09/int

It's time to reset the "days since a major vulnerability in a JWT implementation has been discovered" counter.

medium.com/@cintainfinita/knoc

Yes, OpenStack Horizon, sending a HTTP request for every object in a directory is surely the best way to implement directory deletion. I don't mind letting Chrome run for a few days.

Let's Encrypt has enabled Certificate Transparency SCT embedding today, so it's now incredibly easy to roll out the Expect-CT security header.

Chrome will soon make Certificate Transparency mandatory for newly-issued certificates, but a malicious or compromised CA can get around this requirement by backdating certificates. Expect-CT allows you close this loophole by enabling enforcement for your domain no matter what.

More on (Expect-)CT:
developer.mozilla.org/en-US/do
certificate-transparency.org/

I discovered white tea and my life just became a lot more expensive :blobdrool: