Show more

Mastodev and meta, security bug with Mastodon 

Listen, web development is hard and I'm not looking to cancel Eugen over this, but this bug is a huge breach in federation security that undermines people's ability to trust the platform. Being told someone doesn't follow you when they actually still do is dangerous because of the follower-only post feature. People need to have confidence that these posts are only going to the accounts on their follower list, for what I think are pretty obvious reasons. The fact that this can only be fixed by a patch to the software is really bad, as any instance that refuses to update will still have the ability to stealth follow people with no recourse except to defederate from the instance entirely.

The Mastodon project gets paid $150k a year through grants and monthly patron subscriptions. $60k of that is supposed to cover Eugene's salary, and the rest is supposed to go into development of the software.

My question is: how did this go undetected for a year, and how did it pass QA in the first place? Again, software dev is not as simple as laypeople think it is, so I'm not claiming incompetence here, but Mastodon is a well funded project, especially in the FOSS space where most projects make less than $50 a year. I think it's reasonable to expect answers.

Are there devs being paid to do QA sweeps for each release, particularly with security issues like this? Was this bug introduced through a different feature being added, or was the user feature in the settings panel not implemented correctly and shipped without thorough testinf? What steps will be taken to change the QA process so that bugs like this don't slip through again? How many people are being paid to work on Mastodon, and how many hours a month do they contribute?

There's a Doom WAD of the National Videogame Museum here:

I'm always a bit of a sucker for virtual impersonations of real places.

If I've learnt anything from Cookie Clicker, it's that I want to spend all my money on this.

Is this literally true? Is it literally a 54% chance to double my coins?

That's a pretty clear good EV bet?

I have no idea how Baseball works and I'm not sure that's going to be a problem

Tempting to go with the Hellmouth Sunbeams because they aren't obviously American.

once the fix is in place, the unfollow messages will be interpreted correctly, but users you forced to unfollow before the fix will still be in that weird situation where they kinda follow you but kinda not

So be careful with the "followers-only" privacy level

(thanks to Claire for the explanations and to @Courgette for the french summary here that I translated)

Show thread

The issue goes something like this:

when you force someone to unfollow you (in your followers list on the settings page), a message is sent to that person's instance. But for a good while now this message hasn't been interpreted correctly, so the remote instance continues to think that this user is following you. So if your (followers-only) message is sent to this remote instance (i.e. because someone else follows you there), it will also be shown to the person that you made unfollow.

Show thread

Ok, I've just been kind of an internet zombie for a bit, I guess I'll log off and do something

Someone should make a Tweet embed tool that automagically screenshots the Tweet for when people delete them.

I swear that my Sublime Text half saved tabs are just a fucking minefield at this point. Just 20 untitled tabs with weird stuff in them.

I think today I'm going to do various errands and tidying up between episodes of telly and then have an early night.

I'm going to have to force myself to go to bed at a the same reasonable time every night until it sticks.

Show more
Elekk: Gameing and Other Delightful Pursuits

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!