Patrick Figel ๐ฃ @pfigel@mastodon.at
mastodon.at admin | Software Development | DevOps | InfoSec | @patfigel on Twitter | keybase.io/pfg | GPG: 286BE9D35F9FE18A | DM for Signal | Vienna, Austria
Me whenever I see tech people trying to interpret GDPR somewhere online:
Here's a version of the block list you can dump in your nginx to get rid of the bots:
https://gist.github.com/patf/1ae99fdd15718483fc15b1e8c8f25fe2#file-naughty_list_nginx-conf
The advantage of using nginx here instead of your firewall/iptables is that you'll have an easier time checking for false-positives in logs (in case I fucked up); the bots follow a predictable pattern (GET / then GET /auth/sign_up) while real traffic would stand out.
cc @Gargron
Here's a slightly revised CIDR list that seems to cover all the IPs used by the spammers so far:
https://gist.github.com/patf/1ae99fdd15718483fc15b1e8c8f25fe2
(some CIDRs are redundant because they're from different sources)
Hopefully that'll do for now.
Definitely looks like a spam campaign. So far all accounts signed up from the same ISP. Here's a script you can paste in your rails console to find all users from IP ranges belonging to that ISP (assuming I didn't miss any):
To get to the rails console, run this in /home/mastodon/live as the mastodon user:
RAILS_ENV=production bundle exec rails c
You might also want to temporarily ban those IP ranges if the sign-ups don't stop. I did.
Anyone else seeing spammy-looking signups from QUALITYNETWORK IP ranges? #mastoadmin
Not deploying a simple HTTP header, something that literally every website security scan out there would flag, is apparently not a sign of crappy security practices, folks.
It's quite telling that infosec people are mostly talking about DNSSEC and what not instead of being like "Wait, you're telling me a cryptocurrency wallet handling millions every day did not deploy HSTS?"
No one's even surprised anymore.
Oh for fuck's sake, OpenSSL. Just when I was starting to think they'd finally gotten their shit together
TFW you're looking for XSS and accidentally find RCE
#Pinafore v0.2.0 is out!
- new "Sorcery" theme by @mlcdf
- block/unblock accounts
- mute/unmute accounts
- CSP for better security
- fix emojos in CWs
- perf and UI fixes
Release notes: https://github.com/nolanlawson/pinafore/releases/tag/v0.2.0 https://toot.cafe/media/HoUCsRuVey9LKqTe-HY
#Pinafore v0.1.4 is out:
- hit Ctrl-Enter / Cmd-Enter to post a toot
- new Cobalt dark theme
- bugfixes
Thanks very much @SpankyWorks @codl @chris ! https://github.com/nolanlawson/pinafore/releases/tag/v0.1.4
Mastodon.at now provides an alternative web interface via Pinafore. If the regular web interface sometimes feels a bit slow for you, or if you simply prefer a single-column client, you can give it a shot here: https://light.mastodon.at/
For more details on Pinafore, see: https://nolanlawson.com/2018/04/09/introducing-pinafore-for-mastodon/
It's time to reset the "days since a major vulnerability in a JWT implementation has been discovered" counter.
https://medium.com/@cintainfinita/knocking-down-the-big-door-8e2177f76ea5
Yes, OpenStack Horizon, sending a HTTP request for every object in a directory is surely the best way to implement directory deletion. I don't mind letting Chrome run for a few days.
Let's Encrypt has enabled Certificate Transparency SCT embedding today, so it's now incredibly easy to roll out the Expect-CT security header.
Chrome will soon make Certificate Transparency mandatory for newly-issued certificates, but a malicious or compromised CA can get around this requirement by backdating certificates. Expect-CT allows you close this loophole by enabling enforcement for your domain no matter what.
More on (Expect-)CT:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
https://www.certificate-transparency.org/
I discovered white tea and my life just became a lot more expensive 
