#indiewebcamp 2014-04-08

2014-04-08 UTC
benprew, JasonO and paulcp joined the channel
#
Loqi [mention] http://www.gregfalken.com/2014/04/escape-from-the-walled-garden/ linked to http://indiewebcamp.com/IndieAuth (pingback)
#
Loqi [mention] http://www.gregfalken.com/2014/04/escape-from-the-walled-garden/ linked to http://indiewebcamp.com/microformats (pingback)
#
Loqi [mention] http://www.gregfalken.com/2014/04/escape-from-the-walled-garden/ linked to http://indiewebcamp.com/webmention (pingback)
scottros and grantmacken joined the channel
#
KevinMarks_ anyone played with jq? http://stedolan.github.io/jq/
#
pdurbin KevinMarks_: yep. love it. starting to use it in integration tests of the API I'm working on
#
KevinMarks_ like a specialised version of python comprehensions
#
pdurbin sure. "like sed for JSON data" works for me though :)
#
KevinMarks_ I've written JSON-munging things like that in python before
#
pdurbin heh. I'm even starting to post on mailing lists some unix commands with jq in the pipeline: http://lucene.472066.n3.nabble.com/document-level-security-filter-solution-for-Solr-td4126992.html#a4127576
#
pdurbin squished between curl and head :)
#
pdurbin oh, and available from both `yum install jq` and `brew install jq` which is handy
scottros, emmak, snarfed, grantmacken, caseorganic, caseorga_ and scor joined the channel
#
@sjkmcnally @jasoncavnar @mashable we’ll also google ways Glass looks ridiculous while granting access to our current location using gMaps #OwnYourData (twitter.com/_/status/453381885478322176)
fmarier and OPoppy joined the channel
#
OPoppy hey all, any programmers here?
#
kylewm hi OPoppy, welcome
#
kylewm and yes usually lots
#
OPoppy ah nice. I am a game designer and in need of a progrmmer to collaborate on some projects
#
OPoppy a lot of art assets and game design are done, animations, etc. but can't do it all
#
kylewm we mostly discuss indieweb projects around here, but who knows, someone may be interested :)
#
OPoppy indieweb projects? i am new here, like what kind of projects?
#
kylewm take a look at https://indiewebcamp.com/
#
GWG Hello, kylewm
#
kylewm hi GWG, how's it going?
#
GWG Playing with Wordpress again
#
OPoppy looks interesting
#
GWG There was one major category I hadn't styled.
#
GWG Image
#
kylewm as in posts that are primarily an image?
#
GWG Yes.
#
GWG Wordpress is the basis for my Indieweb site.
#
GWG I've gotten into a feature I've never played with, called Post Formats.
#
kylewm hey, it looks quite good already
#
OPoppy so getting started with domain? a domain i have already?
#
GWG Post formats allow for styling different types differently.
#
GWG OPoppy: What do you want to do?
#
GWG OPoppy: The first part of it is to have a site, then to adopt standards.
#
OPoppy ah ok
#
kylewm OPoppy, it can be a domain you own or a new one that you purchase .. a place to be your personally identifiable corner of the web
#
kylewm GWG, what are you using to POSSE photos?
#
GWG I'm posting it to the domain, then using a Wordpress plugin to POSSE to Facebook and Twitter. G+ is a bit harder due to no write API.
#
kylewm oh right on, it looks quite good
#
kylewm I might be wrong but I don't think a lot of folks are posseing photos this way yet
#
GWG Which way?
#
kylewm (i.e., using the silo APIs to send them)
#
GWG Why not?
KevinMarks_ joined the channel
#
KevinMarks_ can anyone recommend a simple cheap VPS?
#
kylewm hmm, yes I think I'm probably wrong. http://aaronparecki.com/replies/2014/03/07/3/oscars
#
kylewm KevinMarks_, DigitalOcean?
#
GWG KevinMarks_: I have a site for you
#
GWG http://lowendbox.com/
#
GWG Lots of cheap ones
#
KevinMarks_ I want something to sit indiecreddit on so there's a remote machien to sync with, wiht a public IP
#
GWG Do you need 99.9% uptime?
#
KevinMarks_ not really, as this is still an overextended April Fool joke
#
KevinMarks_ but it would be nice to have someone other than me able to join in
#
GWG Well, try ChicagoVPS
#
GWG They have a 128mb $12/year VPS
#
kylewm (for comparison, DigitalOcean is 512MB $5/month)
#
GWG I'm paying $19/yr for 1GB
#
GWG Black Friday special
#
kylewm awesome! from lowendbox?
#
GWG kylewm: That is where I found it. It is just a posting site for finding deals
#
GWG Still not happy with the formatting for links.
#
KevinMarks_ do I care which linux variant its running?
#
GWG KevinMarks_: If you are comfortable with one, I suppose.
#
GWG I'm an old Red Hat user, so I go CentOS
#
KevinMarks_ I'm not bother really
#
KevinMarks_ hm
#
KevinMarks_ it claims the server is up but I can't ping it
zaal and eschnou joined the channel
#
GWG Well, I must head to bed. I need sleep
#
kylewm g'night
#
KevinMarks_ ah, it was booting
#
KevinMarks_ switches to debian for apt-get
#
kylewm thumbs up
#
KartikPrabhu http://time.com/12933/what-you-think-you-know-about-the-web-is-wrong/
KartikPrabhu and melvster joined the channel
#
KevinMarks_ is that Tony's piece?
#
KevinMarks_ yep
#
KevinMarks_ watches apt-get install the universe
jsilvestre, cweiske, Jihaisse, LauraJ, friedcell and eschnou joined the channel
#
KevinMarks_ yay, after all that apt-get stuff I'm getting internal compiler errors
basal, tobiastom, pfenwick and krendil joined the channel
#
KevinMarks_ anyone know how to stop debian from saying "g++: internal compiler error: Killed (program cc1plus)"
#
KevinMarks_ hm, out of RAM?
Sebastien-L joined the channel
#
KevinMarks_ fuckin' dependencies. building stuff in C again is making me so happy about Python and node
friedcell, netweb, joshjuran, bnvk, adactio, heath, yobj, ryana, nslater, glennjones, acegiak, sdboyer, smcgregor, benward, JonathanNeal, jancborchardt, hadleybeeman, tommorris, drags, bear, bret, hober, eternicode, pavelz_, wagle, pfenwick, realzies, jacus, kylewm, ireheart, sparverius, mko, LauraJ, Garbee, onewheelskyward, Jeena, XgF, jtzl, pavelz, KartikPrabhu and fmarier joined the channel
#
@MasdelaBarque #indieweb| Move the web in a new direction | Keep it open and decentralized || http://decentralizecamp.com/ || 21.05.2014 #Düsseldorf, Germany (twitter.com/_/status/453478361273495552)
#
@fdevillamil @rtaibah I unfortunately don’t, I learnt at school when I was 4-5, didn’t speak since 1987. And yes, I’m http://indiewebcamp.com/User:T37.net (twitter.com/_/status/453515518809743360)
Loqi joined the channel
#
kbs haha :-)
#
barnabywalters or maybe paternity leave
#
barnabywalters Loqi: are you a guy or a girl?
#
Loqi i am a guy
#
cweiske I always thought otherwise
#
ben_thatmustbeme Loqi: why do you build me up, buttercup?
#
Loqi who, me?
#
ben_thatmustbeme just patching openssl on my servers now
pfefferle joined the channel
#
ben_thatmustbeme bear++
#
Loqi bear has 3 karma
KartikPrabhu and KevinMarks joined the channel
#
kbs changed passwords on all your 'usual' sites too? :)
#
kbs [or, don't login until they've patched the server - already code out in the wild that's grabbing the server memory
#
kbs which in many cases appears to contain plaintext passwords for recently logged in users]
#
GWG Morning
scottros joined the channel
#
ben_thatmustbeme yeah, just not logging in for now
#
kylewm huh, anyone else get ssl_error_bad_cert_domain for stackoverflow.com?
gRegor` joined the channel
#
cweiske yep
#
icco me too: http://cl.natw.me/Uskd
#
kylewm seems like an honest mistake? i don't know security stuff well enough to know
#
kbs hm.. would it even be possible that the root certs also need to change? *thinks*
#
cweiske no
#
icco kylewm, I remember someone complaining about chrome being stricter on ssl certs recently, but i too do not know security well enough
tommorris, ben_thatmustbeme, edrex, eschnou, zaal, JasonO, reidab and bret joined the channel
#
kbs [stackoverflow - just seems like a bad cert
#
kbs it's issued for stackexchange rather than stackoverflow]
eternicode, jsilvestre, michel_v, friedcell, iangreenleaf and kylewm joined the channel
#
aaronpk looks like they messed up and installed their stackexchange cert on stackoverflow.com
#
kbs wonder if pinned certificates from apps would also need to change
#
bnvk aaronpk: I'm not sure if I have something configured wonky, but webmention.io does not seem to be recording my mentions sent from Bridgy
#
barnabywalters bnvk: RE the webmention.io thing: it might also be something to do with short URL usage
#
aaronpk bnvk: hm i fixed the ssl error that was stopping it before. does bridgy show logs?
the_merlin joined the channel
#
aaronpk looks like 3 of them were sent a few hours ago https://www.brid.gy/twitter/brennannovak
#
aaronpk and it got a success message on the last one
#
bnvk you're seeing the success on your end?
#
aaronpk I do actually see 3 for https://brennannovak.com/notes/418
#
barnabywalters aaronpk: does webmention.io have an endpoint listing all recent webmentions for a particular domain?
#
barnabywalters that might be handy, not only for mentions feeds but for debugging URL issues
#
aaronpk yeah i think it's in the docs
#
aaronpk by docs I mean the readme https://github.com/aaronpk/webmention.io
#
barnabywalters ah yeah https://github.com/aaronpk/webmention.io#find-all-links-to-all-sites-in-your-account
#
aaronpk oh but it needs that token
#
barnabywalters bnvk: try hitting the URL at https://github.com/aaronpk/webmention.io#find-all-links-to-all-sites-in-your-account and see what’s there
#
bnvk http://webmention.io/api/links?target=https://brennannovak.com
#
bnvk ?
#
aaronpk domain=brennannovak.com
#
aaronpk if you don't care if it's private I can share the token here
jacus and scottros joined the channel
#
bnvk http://webmention.io/api/links?domain=brennannovak.com
#
bnvk hrm, that is empty
#
aaronpk walking to the office, back in a bit!
#
bnvk okie
LauraJ, scottros, tilgovi, pfefferle and eschnou joined the channel
#
ben_thatmustbeme sweet. In theory I can receive webmentions now
#
ben_thatmustbeme not that i do anything with them yet. Or have a method to approve them.
#
gRegor` Baby steps, ben_thatmustbeme. :) Congrats!
#
ben_thatmustbeme thanks gRegor`
#
kbs nice :)
#
barnabywalters nice work ben_thatmustbeme!
#
barnabywalters ben_thatmustbeme: add yourself to http://indiewebcamp.com/webmention#IndieWeb_implementations
#
ben_thatmustbeme feel free to test it. I'm going to just add a stream of generic mentions probably tomorrow
#
ben_thatmustbeme i may also turn off moderation until I have an easy view for it.
#
barnabywalters ben_thatmustbeme: replied: http://waterpigs.co.uk/notes/4VUFr4/
#
ben_thatmustbeme http://ben.thatmustbe.me/queue/4
#
ben_thatmustbeme morso might want to curl that to see the headers, only useful thing thus far
#
ben_thatmustbeme i have a cronjob that runs every 5 minutes (or should) so lets see if it parses
snarfed and jsilvestre joined the channel
#
ben_thatmustbeme damn, getting an error
caseorganic, tilgovi, dgw and vf5761 joined the channel
#
kylewm explanation for the stackoverflow thing http://meta.stackoverflow.com/questions/228803/invalid-certificate-on-stackoverflow-com
pasevin, benprew, _6a68, pfefferle and paulcp joined the channel
#
bradfitz.com edited /events/2014-04-09-homebrew-website-club (+41) "/* RSVP */" (view diff)
#
bradfitz.com created /User:Bradfitz.com (+22) "Created page with "[http://bradfitz.com/]"" (view diff)
#
bradfitz.com edited /User:Bradfitz.com (+13) (view diff)
KevinMarks and snarfed joined the channel
#
aaronpk oh hey bradfitz!
#
snarfed :P my fault, i'm dragging him and a few others to hwc on wed
#
aaronpk nice
#
snarfed btw aaronpk, on that note, is it intentional that indieauth is sensitive to trailing slashes on rel-me links?
#
snarfed (that bit brad at first)
#
aaronpk hm no i think that is unintentional
#
snarfed ok. i saw this: https://github.com/aaronpk/IndieAuth/issues/26#issuecomment-22774096
#
aaronpk oh that's different
paulcp joined the channel
#
aaronpk or is that what you mean?
#
snarfed that's what i mean. same issue except github instead of twitter
#
aaronpk yes that comment accurately describes the problem
pasevin_ joined the channel
#
aaronpk if a site serves the same profile from two different URLs, that's a problem
#
aaronpk "trailing slash" is not really a thing, the URLs are different
#
snarfed yes, true, but it'd be reasonable to treat the same url with and without trailing slash as identical
#
aaronpk that involves hard-coding stuff to providers, which I could do but that's annoyiung
paulcp_ joined the channel
#
snarfed annoying for you, yes, but friendly for users :P
#
aaronpk i can't just assume all links with a trailing slash are identical to the non-slash version
tantek joined the channel
#
snarfed i guess. the provider list is already hard-coded, though (right?), so blacklisting or whitelisting doesn't seem too hard...?
#
snarfed anyway. just a thought. let me know if you want me to file an issue
#
aaronpk sure go ahead, would be good to have a list of providers which have this behavior
#
aaronpk what github and twitter should be doing is sending a 301 redirect from twitter.com/aaronpk/ to twitter.com/aaronpk and then everything would be working fine
#
snarfed definitely! agreed. but they don't. :/ ah well.
#
tantek good morning #indiewebcamp!
#
tantek I'm at the HTMLWG meeting all day in San Jose.
#
tantek catches up on logs
#
tantek aaronpk, loving the stream of comments on http://aaronparecki.com/replies/2014/03/07/3/oscars
_6a68 and bnvk joined the channel
#
kbs snarfed: for the four remaining people who actually use pgp for contact info :) think its worth removing old email addresses from https://snarfed.org/pubkey.txt ?
#
aaronpk tantek: ha wow that's getting long
#
snarfed kbs: hah. maybe! looking now.
#
gRegor` 4.5. I plan to start using PGP :)
#
snarfed kbs: ah. the google one? probably yes
#
kylewm aaronpk, it's really testing your facepile arrangement :) looks good
#
tantek kbs, snarfed which reminds me, how does one *obsolete* an email address (or other contact info) in the context of PGP contact info (or frankly any contact info) ?
#
kbs snarfed: oh, and if you link to it from your home page
#
kbs will make it easier for me to discover ;) just a <link rel="key" href=""> or something similar...
#
tantek like - "I am no longer using this phone # ..."
#
tantek the use case being - "dear friends, please delete this number you have for me from your contacts/addressbook"
#
snarfed kbs: thanks! will do
#
snarfed tantek: no clue!
#
tantek would be useful for when leaving a company, or burning a phone #
#
snarfed kbs: searched quickly, the only place i see rel="key" is http://microformats.org/wiki/key-examples#Brainstorming . is that where you got it?
#
kbs tantek: unfortunately - it ends up being (in practice) what any given client does. In theory, a client with a pgp key ought to be checking the keyservers for updated (or revoked) information
#
kbs and you can update (or obsolete) information by revoking an earlier signature
glennjones joined the channel
#
tantek kbs - so you revoke a signature and that revokes *all* the information as part of that signature?
#
kbs snarfed: yes
#
kbs pretty much. [You could also use u-key in your hcard, if you want to make it visible in the html as well]
#
tantek snarfed - I thought rel="key" was derived from links on the web
ttepasse joined the channel
#
kbs tantek: you can choose to revoke a specific portion of the key file. Each uid (== a particular email address) has its own signature in the key. You could just revoke that one signature alone
#
tantek snarfed, n.m. looks like none of the examples actually use rel=key - but could
#
tantek hence brainstorming
#
tantek kbs - interesting. is revoking the counterpart of signing?
#
kbs tantek: yep, pretty much. It's just another signature that revokes the previous signature :)
#
tantek so that's a whole set of use-cases then
catsup joined the channel
#
ben_thatmustbeme haha, fixed my logical error, now It works, I get webmentions!
#
snarfed ben_thatmustbeme++
#
Loqi ben_thatmustbeme has 1 karma
#
kbs the PGP keyfile really wants to be a database
#
kbs so it's big and painfully complicated. There are internal references to information like bits of text (like an email) or subkeys that are validated by signing each reference (more or less)
#
kbs and finally, the revoking mechanism allows you to tell a keyserver to delete a prior reference - perhaphs it's easier to think of it like a version controlled system, where the end result is the result of combining all the intermediate 'changes' to the repository
#
snarfed kbs: added both rel-key and u-key
#
kbs cool :) *tests his little experiment*
KevinMarks joined the channel
#
tantek congrats ben_thatmustbeme on getting webmention receiving working!
#
kbs snarfed: yay :)
#
Loqi :D
#
ben_thatmustbeme thanks guys
chloeweil, rknLA and squeakytoy joined the channel
#
ben_thatmustbeme eh, turned off moderation, and it just posts the link to recent mentions, nothing too fancy now
#
ben_thatmustbeme but it works
#
snarfed ben_thatmustbeme: interesting. minor point:, you return 200 for urls that don't exist and serve the home page, e.g. http://ben.thatmustbe.me/asdf
#
ben_thatmustbeme yeah, i haven't dealt with that yet. I noticed that
#
snarfed np
#
ben_thatmustbeme for the site I had originally hacked this up for, they wanted that (much older crowd was the user base, so basically just assume that typos are probable)
#
snarfed heh. you can return status code 404 and still render the home page
#
snarfed regardless, minor point
ttepasse joined the channel
#
bnvk is it just me or does it feel like parts of the internet are broken today?
#
aaronpk heartbleed
#
bnvk ;(
#
kbs [random tidbit - mail.yahoo.com was unpatched for most of the morning... hope nobody logged in earlier :)]
#
tantek aaronpk - agreed about slash / no-slash being different in URLs
#
tantek whitelisting domains seems to be the only short term solution :/
#
aaronpk tantek: good, but i'm now thinking it's probably not unreasonable to hard-code some stuff for specific providers
#
kylewm.com edited /Instagram (-1) "/* API */ markdown link format -> mediawiki" (view diff)
#
tantek that's what I mean by "whitelisting domains"
#
aaronpk right yes, you beat me to it :)
tilgovi joined the channel
#
tantek I remember having to do this in the PHP relmauth code
#
tantek I think I put something in like a "strip-trailing-slash" boolean in the provider data structure
#
aaronpk ah
#
tantek so when canonicalizing profile URLs from a paticular provider, if that bit was set, the could would check and drop trailing slashes on profile URLs of that provider (regardless of source)
#
tantek so regarding this SSL exploit - does this mean stop using various websites for a while?
#
aaronpk all I know is that the exploit can allow attackers to dump parts of the system memory
#
aaronpk how that affects me feeling safe about signing in somewhere I am not sure
#
tantek how do we know which providers have upgraded their SSL?
#
kbs by running the exploit itself, more or less
#
tantek ugh
#
tantek which implies there are groups out there "validating" various providers right?
#
tantek checks krebs on security
#
aaronpk kbs: fun fact: it can be a criminal offense to do that
#
kbs The potential issue is also whether someone has logged into a site over the last day or so - what's also happening is that the credentials of people who've logged into a given server is available in the dump.
#
aaronpk oh hah wow
#
kbs s/logged/recently logged/
#
Loqi kbs meant to say: The potential issue is also whether someone has recently logged into a site over the last day or so - what's also happening is that the credentials of people who've recently logged into a given server is available in the dump.
#
tantek so, this? http://krebsonsecurity.com/2014/04/heartbleed-bug-exposes-passwords-web-site-encryption-keys/
#
aaronpk lots of info here http://heartbleed.com/
#
tantek aaronpk - that doesn't look suspicious at all :P
#
aaronpk they link to all good sources
#
aaronpk "VULNERABLE - indieweb.org:443 has the heartbeat extension enabled and is vulnerable to CVE-2014-0160"
#
kbs yes
#
aaronpk here's the test tool I am using https://github.com/titanous/heartbleeder
#
aaronpk you can compile yourself, but they have binaries at http://gobuild.io/download/github.com/titanous/heartbleeder if you trust them :)
friedcell joined the channel
#
kbs just so you know - that code runs the exploit ;-)
#
aaronpk i'm only running it on my own servers :)
#
kbs ah, ok
#
aaronpk i learned that lesson once the hard way
#
iboxifoo.com edited /events/2014-04-09-homebrew-website-club (+38) "/* RSVP */" (view diff)
#
kbs aaronpk: :/ ah well. [for better or worse, I had my lesson back in the 1990s, fortunately when the internet was a more innocent place...]
#
aaronpk heh yes, mine was much later
#
kbs old-fart-anecdote - I was running a crawler for my thesis that would ping random SunRPC services on the internet to determine their uptimes. Bug in some of the services caused their computers to crash, hacking suspicions - much drama. fortunately was able to deflect most of it to my advisor...
_skinny joined the channel
#
kbs oh, the times when there was no such thing as a "firewall" :)
ireheart, sparverius and pasevin joined the channel
#
aaronpk rebooting the server real quick with new openssl
#
tantek thanks aaronpk!
#
aaronpk wow yeah running the exploit dumps a bunch of the nginx config file from memory :/
#
aaronpk and fixed!
#
bnvk yay
#
Loqi giggles
#
kbs aaronpk++ wohoo
#
Loqi aaronpk has 418 karma
vt0 joined the channel
#
aaronpk that covered indieweb.org, indiewebcamp.com, webmention.io and indieauth.com
#
bnvk ooo what are the plans for indieweb.org ?
tahnok and KevinMarks joined the channel
#
aaronpk can't remember at the moment, it came up during indiewebcampsf
#
aaronpk tantek: I just got an iPod for testing stuff at work, I hadn't actually seen one of the new ones yet! Is that the one you have? the 4" retina one?
#
bnvk always good to have domains on hand :)
#
ben.thatmustbe.me edited /webmention (+609) "Adding notes on my Implementation" (view diff)
#
bnvk mmmm, I loves me some DOGFOOD :D
#
aaronpk I'm gonna call it champagne now http://aaron.pk/n4V23
grantmacken joined the channel
#
bnvk hehe aaronpk that's a good point ;)
#
ben_thatmustbeme !tell damn you barnabywalters, by asking me a question in your webmention you are fueling my desire to have sending working that much more.
#
Loqi Ok, I'll tell them that when I see them next
#
ben_thatmustbeme oops
#
ben_thatmustbeme yeah, thats not going to go to the right person
#
bnvk ben_thatmustbeme: I know the feeling :P
#
ben_thatmustbeme at least people can see that I know they mentioned me. I just know I'm going to have a ton of stuff to try and strip out any javascript or funky html to make sure its safe before i show it on my site at all
#
aaronpk ben_thatmustbeme: you could start with just showing the plaintext version
#
ben_thatmustbeme strip out any tags, that should be all i'd need i suppose right
#
ben_thatmustbeme but yeah, i will start with that
#
aaronpk I mean use the plaintext version that comes back from the mf2 parser
#
ben_thatmustbeme i hadn't dug in to the guts of it yet, wasn't sure if it would strip everything out or now
#
ben_thatmustbeme not*
#
ben_thatmustbeme thats excellent that it does. that takes care of most of my concerns. XSS would be possible I suppose still though
#
kbs !tell bear just wondering - https://bear.im/pubkey.txt has both the expired and the new key, deliberate decision?
#
Loqi Ok, I'll tell them that when I see them next
#
aaronpk ben_thatmustbeme: you're welcome to try to craft an attack and send me a webmention
#
ben_thatmustbeme it would be an attack on someone else that mentioned you already, and resubmitting that mention on my own with a URL extended to include JS, Its very unlikely to find someone that has a site like that, but I may set one up just to test feasibility
#
kbs you might be able to just use paste.debian.net I think
#
aaronpk we should make a webmention vulnerability test suite, hehe
#
Loqi yea
#
aaronpk webpwn.com/hack/my/site?me=aaronparecki.com <-- generates an attacker page linking to a post on my site so I can send webmentions from that URL to test what happens
#
kbs ah, nice
#
ben_thatmustbeme hmmm, actually, thinking about it, the vulnerability would then be on the other person's site, not mine
#
ben_thatmustbeme so i would be attacking another site but using yours to host the link
#
ben_thatmustbeme I don't see it as much of an issue really, other than it give the link some legitimacy
benprew, vf5761, scottros_ and scottros joined the channel
#
aaronpk oh god
#
aaronpk https://twitter.com/patio11/status/453618444408086528
#
@patio11 @theycallmemorty Because clients have the heartbeat protocol too, so any server you connect to via embedded HTTP library can heartbleed you. (twitter.com/_/status/453618444408086528)
#
aaronpk can someone with more knowledge of openssl than me confirm this?
#
tantek scrolls up
#
tantek aaronpk I have the iPod 5 touch. Retina display. not sure what you mean by "one of the new ones"
#
aaronpk uh I mean one of the ones after the 3.5" one that I have from like 4 years ago :)
#
kbs aaronpk: would it be ok to run one or two more test webmentions against your test page at https://aaronparecki.com/notes/2013/10/12/2/indieweb?
#
aaronpk please do!
caseorganic joined the channel
#
kbs thanks :)
yaf joined the channel
#
tantek aaronpk, where's that pushup counting app you developed?
#
aaronpk https://github.com/aaronpk/PushupCounter-iOS
#
aaronpk uses indieauth for sign-in and micropub for posting
scor joined the channel
#
kbs one more done... probably better to have done it in a test-case :(
pfefferle and pasevin joined the channel
#
ben_thatmustbeme snarfed, invalid URL now returns 404, but still the home page
#
ben_thatmustbeme thanks
#
snarfed ben_thatmustbeme: nice! good step
#
ben_thatmustbeme i forgot I was using the same controller for both cases
pauloppenheim joined the channel
#
tantek aaronpk - pushup counter app works with using your nose to touch the display of the iPod/iPhone right?
#
aaronpk yep! I set the phone on the floor then do pushups on to it
#
tantek is there a video demo?
#
ben_thatmustbeme so you slap your face in to the phone?
#
aaronpk heh not of mine
#
ben_thatmustbeme when you get tired that is
#
tantek does it "ding" when you touch it to confirm the touch?
#
aaronpk but danny did pushups onto his android phone at the 2012 indiewebcamp here
#
aaronpk demoing realtime PESOS with beeminder
#
aaronpk https://twitter.com/bmndr/status/348500981945860096
#
@bmndr Beeminder founders @dreev and @thatgirl at #indiewebcamp today, about to show off our realtime PESOS with assistance from @pjf (twitter.com/_/status/348500981945860096)
#
aaronpk i thought they had a video or photo, but I can't find it
#
aaronpk oh ha! shane did it too! https://www.flickr.com/photos/aaronpk/7487943724
#
aaronpk https://www.flickr.com/photos/aaronpk/7487940782
#
kbs haha :) nice
#
tantek aaronpk ^^^ ding?
#
aaronpk no sound, but the giant number increments pretty obviously
#
aaronpk i suppose I should add sound, but I haven't really needed it
#
aaronpk also the volume on my phone is off 99% of the time
#
tantek sound would be nice when you're struggling so much that you close your eyes
#
aaronpk :)
scottros and krendil joined the channel
#
kylewm snarfed, were you guys brainstorming recently about bridgy original post discovery if there's no backlink in the post (e.g., on instagram)?
#
snarfed kylewm: lightly, yeah
#
snarfed aaronpk proposed querying his site (somehow) with the instagram picture url
#
snarfed s/his/the user's/
#
Loqi snarfed meant to say: aaronpk proposed querying the user's site (somehow) with the instagram picture url
indie-visitor joined the channel
#
kylewm ah exactly what i was wondering
#
aaronpk probably via the micropub endpoint
#
snarfed ah, micropub supports this?
#
aaronpk not yet :)
#
snarfed aha
barnabywalters joined the channel
#
kylewm like if there were a generic endpoint kylewm.com/original_post?tweet=twitter-url
#
kylewm that could be the target
#
snarfed yup
#
aaronpk or yeah like that
#
kylewm oh, how does it fit into micropub?
#
aaronpk probably syndicated=http://twitter.com....
#
aaronpk it may not fit into micropub since micropub assumes it'll be creating content...
#
kylewm so actually would there be any advantage of sending source=bridgy-url&target=kylewm.com/original_post%3Fsyndication%3Dtwitter_url as opposed to just notifying the user's homepage
#
snarfed let's see
#
kylewm i.e., source=bridgy.com/etc/&target=kylewm.com
curiousjohn joined the channel
#
snarfed specific target is nice since you can do some validation before attempting to fetch at all
#
snarfed and also useful when there are multiple links to a given domain in a post, which would each trigger a separate WM
#
kylewm are you thinking bridgy would actually do the query first and then (if it exists) send the mention to the post's actual permalink?
#
snarfed honestly i hadn't thought through it much at all yet
warden joined the channel
#
snarfed i'm open to questions, proposals, and pull requests!
#
kylewm is it like... something worth making an issue for to put discussion/ideas there?
#
snarfed sure, go for it!
#
snarfed i'd defer to you all to drive, since it's not an itch for me personally
#
snarfed but i can chime in
warden joined the channel
#
kylewm is it generally felt that using/having to use permalinks/citations on twitter are a feature and not a bug? :)
#
snarfed i don't follow, sorry
#
kylewm that's what's driving me to think about it...haven't come up with a way to cite original posts that i'm happy with
#
kylewm i wouldn't do it at all, but i want that sweet sweet bridgy backfeed
#
snarfed :P
#
snarfed you mean, when you're mentioning a tweet but not replying to it?
#
kylewm sorry i need to clarify
#
kylewm having a (link) at the end of the POSSEd tweet is good in that it { cites original content, serves as micro-evangelism } and bad in that it { is a little distracting, uses up characters }
#
kylewm do folks generally feel like the benefits outweigh the costs
#
snarfed ahhhhh i see
#
snarfed heh, good timing: https://github.com/snarfed/bridgy/issues/122
#
@kevinmarks @Pinboard some advice here http://indiewebcamp.com/https#Buy (twitter.com/_/status/453639471938805761)
#
snarfed i hadn't thought much about how to preserve backfeed. query endpoint, extra "syndicated" webmention param, searching h-feed entries for rel-syndication are all possibilities
#
barnabywalters good evening
#
kylewm snarfed, ha!
#
barnabywalters tantek: RE pushup counting utilities, I have a really simple single-HTML-page one here: http://waterpigs.co.uk/pushups/
#
snarfed evening barnabywalters
#
barnabywalters no sound but it could be trivially added
#
gRegor` kylewm: I haven't implemented POSSE yet, but I've not been a big fan of adding the short link at the end of the tweets. I think I would definitely like an alternative.
#
aaronpk keep in mind there are also human benefits to having the link, like if visitors can click it to find your site where there is a *better* experience than on twitter
#
brennannovak.com created /Mailpile (+669) "Created page with "[https://mailpile.is Mailpile] is a webmail client with user-friendly encryption and privacy features. Mailpile is free software. [http://en.wikipedia.org/wiki/Mailpile read more..."" (view diff)
#
aaronpk easier to navigate between posts, see the full list of comments since it'll include twitter+facebook+instagram comments, etc
caseorganic joined the channel
#
gRegor` True
#
gRegor` Though I feel like it would be obnoxious to click through and see nothing additional / new. E.g. no interactions.
#
kylewm aaronpk, have you had anyone complain about the close ) being included in the URL when they click it? I dont know if it's tweetdeck or what that does that
#
aaronpk i haven't heard that, no
#
aaronpk gRegor`: that is the negative feedback tantek got, which is totally justified if there is no additional content
#
aaronpk s/got/talks about
#
Loqi aaronpk meant to say: gRegor`: that is the negative feedback tantek talks about, which is totally justified if there is no additional content
#
kylewm somebody mentioned that to me but i didn't get details
#
gRegor` I feel like it also might lessen interest in clicking my non-permashortlinks. Like when I'm sharing a link to an external site I find interesting.
#
kylewm gRegor`, yeah I totally have that concern too, or at least make it confusing which link they should click on
#
gRegor` I guess a youtu.be link would be obviously different from my own shortlink, but wonder if people would get used to overlooking my links. :)
#
gRegor` I'll worry about that once I get POSSE going, though. Heh
#
kylewm i've noticed barnabywalters does \n(shortlink) ... that's pretty inobstrusive
#
gRegor` !tell KartikPrabhu Still on for tomorrow night?
#
Loqi Ok, I'll tell them that when I see them next
#
gRegor` No Portland location for tomorrow, aaronpk? :) http://indiewebcamp.com/events/2014-04-09-homebrew-website-club
#
aaronpk crap did it not get marked?
#
aaronpk dietrich said he'd host again
#
aaronparecki.com edited /events/2014-04-09-homebrew-website-club (-45) "/* Where */ mozpdx" (view diff)
LauraJ joined the channel
#
gRegor` Sorry, I thought I pinged you when I set up the page. I wasn't sure.
smcgregor, warden, KevinMarks, wagle, ttepasse and pasevin joined the channel
#
barnabywalters argh I hate server management
#
aaronpk srsly
#
barnabywalters a friend and I rebooted my machine after trying to install a fix for heartbleed, and now my server has no network interfaces
#
barnabywalters FOR SOME REASON
#
aaronpk oh no
#
dietrich oops, thanks for updating the wiki aaronpk
#
aaronpk barnabywalters: the beeminder guys have been fighting with their servers all morning too after a bad reboot
#
barnabywalters aaronpk: oh dear :(
#
tantek barnabywalters: was just about to say waterpigs.co.uk/pushups/ is not loading for me and then I saw last several lines - sorry to hear about that.
#
tantek is it on github? I'll file the same feature request issues that I did with aaronpk
#
barnabywalters tantek: not on gh yet, I can put it there if there’s interest
#
tantek barnabywalters - yes! definitely. I'd love to see a webapp version of a pushups app
#
tantek and happy to use github issues to send you feature requests too
pfenwick joined the channel
#
barnabywalters tantek: https://github.com/barnabywalters/pushups
#
barnabywalters note especially the weird appcache hacks
#
barnabywalters for figuring out if there’s a network connection or not
#
tantek wonders if there's a way to copy gh issues from one project to another
#
tantek beyond just copy/paste
#
tantek e.g. clone a whole set of issues
#
aaronpk i think someone has made some scripts to do it via the API
#
kbs aaronpk: fyi, couple more test-cases added - mostly around href parsing I guess
#
aaronpk test cases?
#
aaronpk er, added to what?
#
kbs ah, sorry - to https://aaronparecki.com/notes/2013/10/12/2/indieweb
#
aaronpk cool
#
aaronpk are you collecting these into a doc somewhere?
#
tantek barnabywalters - feature requests added! https://github.com/barnabywalters/pushups/issues
#
kbs aaronpk: not other than random pastebins - is there a preferred way to send you links to them?
#
aaronpk you could collect them into a section or page on the wiki
#
tantek kbs, aaronpk, I started this: http://indiewebcamp.com/authorship#Spoofing
pasevin joined the channel
#
kbs aaronpk: tantek sure - I'll add it there [guess it might be more about xss cleanup than authorship, though]
#
aaronpk yeah some of those things are xss hacks (javascript:alert, nice
pasevin_ joined the channel
#
tantek kbs - go ahead and start http://indiewebcamp.com/xss :)
#
kbs okay
scottros joined the channel
#
pauloppenheim kbs - reading logs from... 7am?!? root certs, if online (which they shouldn't be) would need to be changed. Most are offline though (i dearly hope that's a req of having a root cert)
#
kbs pauloppenheim: makes sense - (think cweiske also indicated as much)
#
pauloppenheim kbs: i run an intranet CA, and the private key is offline and on a machine that has never connected to the internet.
#
pauloppenheim i think that's standard practice
#
kbs pauloppenheim: nice. Yes, I was just wondering aloud - as you say, would only matter if the private key was ever actually directly used on a server and that'd be rather terrible for a root CA to do.
#
pauloppenheim kbs: well, they all have child CAs for doing the actual signing work, which possibly *are* online, so that'll probably wobble over the next few days
#
kbsriram.com created /xss (+1344) "start xss test cases" (view diff)
KevinMarks_ joined the channel
#
pauloppenheim git diff
#
pauloppenheim gah, sorry
#
kbs pauloppenheim: ah
#
kbs didn't think of that. Interesting day all in all...
#
pauloppenheim for instance:
#
pauloppenheim - DigiCert High Assurance EV Root CA
#
pauloppenheim - DigiCert High Assurance CA-3
#
pauloppenheim - *.wikipedia.org
#
kbs yep.
#
KevinMarks_ so cert pinning is going to make this harder?
#
KevinMarks_ so I have a server up for indiecreddit mining, a week later
gRegor` joined the channel
#
kbs cool :) taking the april 1 hack all the way
ttepasse and _6a68 joined the channel
#
pauloppenheim KevinMarks_: cert pinning helps other problems, but AFAICT not heartbleed. If the server is using openSSL 1.0.1 and has a TLS heartbeat, it was vulnerable to having memory contents read, which would include any private key.
#
KevinMarks_ right, I meant that cert pinning is going to make it harder to replace all the certs everyehere
#
pauloppenheim hence the server needs to make a new private key, and you need to get it to pin it.
#
pauloppenheim oh, possibly, depending on how one pins their certs
pasevin joined the channel
#
tantek hey anyone know if https://www.w3.org/ has been updated?
#
tantek those of you that have such tools to check such things (aaronpk?)
#
_6a68 tantek: http://filippo.io/Heartbleed/#www.w3.org looks ok
#
aaronpk looks ok
pfenwick joined the channel
#
tantek great. that's the bubble I'm in this week ;)
#
aaronpk luckily(?) most of my other servers are so old they're not even running openssl 1.0.1 so I'm fine there :)
#
snarfed aaronpk: heh, that saved me too
#
tantek aaronpk, snarfed: interesting, that's a (perhaps unintentional) argument for delaying version upgrades
#
tantek or are your servers not running openssl - any version?
#
aaronpk older than 1.0.1
#
snarfed tantek: eh, not really. net, old versions of software usually have more holes, not fewer
#
snarfed (mine, both 1.0.0 and not)
#
tantek snarfed, from a risk management perspective, I've had mixed experiences
#
tantek and in general have benefited (saved time) from skipping various upgrades
#
tantek at this point I have to assume that most releases are premature and being beta tested with actual users
#
snarfed well, sysadmin time and effort is a different argument
#
snarfed yeah, understood. as long as you keep up with patches on a supported branch, i can understand waiting to jump to the latest one
#
snarfed staying on an unsupported branch is asking to be exploited, but it sounds like that's not what you meant
#
aaronpk that's why I use ubuntu 12.04
#
gregorlove.com edited /User:Gregorlove.com (+17) "/* Contributions */ +Interests" (view diff)
#
tantek hmm - 90+ in IRC - is that recent?
#
aaronpk yeah! past week or so
#
aaronpk wish I had been graphing it
#
gregorlove.com edited /User:Gregorlove.com (+462) "/* Interests */" (view diff)
#
gregorlove.com edited /User:Gregorlove.com (+41) "/* Interests */" (view diff)
scottros joined the channel
#
barnabywalters the real lesson from all this server crap is that I need to back up my stuff more often
#
aaronpk :)
#
aaronpk that's another reason I like git-backed flat file storage so much, built in backups!
benprew joined the channel
#
barnabywalters aaronpk: yeah, I have my personal site backed up like that locally, but there’s a bunch of other stuff there which isn’t
#
aaronpk yeah
#
barnabywalters last resort is to wipe and reinstall, then restore my personal site
#
barnabywalters stupid thing is I have an emergency ssh connection, but it won’t let me scp things
#
barnabywalters I can’t even cat the output of a ssh session in which I cat the backup file into a local file :(
#
barnabywalters apparently I also need to switch providers
#
aaronpk eesh
#
aaronpk you should try Linode
#
barnabywalters to one which isn’t awful
#
aaronpk assuming you want a VPS
#
Loqi I agree
fmarier joined the channel
#
tantek so this heartbleed thing is pretty bad - even if you don' t have a certificate explicitly for your domain, you may be vulnerable!
#
aaronpk yup
#
aaronpk and if you make any HTTPS calls in your code you may be vulnerable
#
barnabywalters YAY
#
aaronpk from your code to any external services
#
aaronpk such as... all our reply context fetching code
#
tantek how are you vulnerable on a get?
#
aaronpk if a server is acting maliciously
#
aaronpk it can do the same thing to https clients
#
tantek it opens a new connection to you?
#
aaronpk no, same connection
#
aaronpk it's part of the heartbeat negotiation
#
tantek wow
#
aaronpk srsly
#
snarfed yeah, the bidirectional part is a huge kicker
#
KevinMarks_ lovely
#
aaronpk here's what I've been doing all day http://aaronparecki.com/articles/2014/04/08/1/
caseorga_, ttepasse and grantmacken joined the channel
#
gRegor` Sounds like fun, aaronpk ;)
#
aaronpk indeed :/